CVE-2011-5214
BrowserCRM < 5.100.01 - Cross-Site Scripting via PATH_INFO or Login Parameter
Title source: llmExploitation Summary
EIP tracks 4 public exploits for CVE-2011-5214. PoCs published by High-Tech Bridge SA.
AI-analyzed exploit summary The exploit demonstrates multiple XSS vulnerabilities in Browser CRM 5.100.01 by injecting JavaScript via URL paths, allowing cookie theft or further client-side attacks. The PoC provides direct URLs with payloads that trigger alert popups with document.cookie.
Description
Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php.
Exploits (4)
The exploit demonstrates multiple XSS vulnerabilities in Browser CRM 5.100.01 by injecting JavaScript via URL paths, allowing cookie theft or further client-side attacks. The PoC provides direct URLs with payloads that trigger alert popups with document.cookie.
This exploit demonstrates multiple XSS vulnerabilities in Browser CRM by injecting malicious scripts into form fields. The PoC shows how unsanitized user input can lead to arbitrary JavaScript execution.
The provided text describes a cross-site scripting (XSS) vulnerability in Browser CRM 5.100.01, where user-supplied input is not properly sanitized, allowing attackers to inject malicious scripts. The example URL demonstrates a simple XSS payload that steals cookie-based authentication credentials.
This exploit demonstrates multiple XSS vulnerabilities in Browser CRM by injecting JavaScript payloads into form fields. The PoC submits a crafted form to trigger stored or reflected XSS attacks.