Posted by NaxoneZ . on Nov 30

Hi,

I found this issues in ZurmoCRM. All issues are reported in their github.

1.- Html Injection

– If you create a Product, list, etc. with this name:
<h1>injection</h1>[image:
Imágenes integradas 1]
– When you go to preview page (in this case products), you can see the
injection: [image: Imágenes integradas 2]

2.- Information Disclosure
When you put %00 in moduleClassName you can see the full path of the…