Zurmo: Security Vulnerabilities
Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-01
Zurmo 3.2.4 has XSS via an admin's use of the name parameter in the reports section, aka the app/index.php/reports/default/details?id=1 URI.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-19
Zurmo 3.2.4 allows HTML Injection via an admin's use of HTML in the report section, a related issue to CVE-2018-19506.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-19
Zurmo 3.2.4 Stable allows XSS via app/index.php/accounts/default/details?id=2&kanbanBoard=1&openToTaskId=1.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-07
Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-12-31
Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a data: URL in the redirectUrl parameter to app/index.php/meetings/default/createMeeting.
CVSS Score
4.8
EPSS Score
0.002
Published
2017-11-06
An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an http: URL in the redirectUrl parameter to app/index.php/meetings/default/createMeeting.
CVSS Score
4.8
EPSS Score
0.001
Published
2017-11-06
Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.
CVSS Score
5.4
EPSS Score
0.009
Published
2017-04-14
Cross-site scripting (XSS) vulnerability in Zurmo CRM 3.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "What's going on?" profile field.
CVSS Score
3.5
EPSS Score
0.002
Published
2015-07-02