CVE-2008-3398

xrms_crm 1.99.2 - Cross-Site Scripting via msg Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3398. PoCs published by AzzCoder.

AI-analyzed exploit summary This is a technical writeup detailing multiple vulnerabilities in XMRS CRM, including Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and information disclosure via phpinfo(). The RFI vulnerability requires register_globals to be enabled and targets the $include_directory variable in activities/workflow-activities.php.

Description

Multiple cross-site scripting (XSS) vulnerabilities in XRMS CRM 1.99.2 allow remote attackers to inject arbitrary web script or HTML via the msg parameter to unspecified components, possibly including login.php. NOTE: this may overlap CVE-2008-1129.

Exploits (1)

exploitdb WRITEUP VERIFIED

by AzzCoder · textwebappsphp

https://www.exploit-db.com/exploits/6131

View Code ZIP pw:eip

This is a technical writeup detailing multiple vulnerabilities in XMRS CRM, including Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and information disclosure via phpinfo(). The RFI vulnerability requires register_globals to be enabled and targets the $include_directory variable in activities/workflow-activities.php.

Classification

Writeup 90%

Attack Type

Rce | Xss | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: XMRS CRM

No auth needed

Prerequisites: register_globals enabled for RFI

MITRE ATT&CK