CVE-2017-7188

MEDIUM

Zurmo < 3.1.1 - Cross-Site Scripting via Base64-Encoded SCRIPT Element in returnUrl Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-7188. PoCs published by faizzaidi.

AI-analyzed exploit summary This repository contains a README file describing a Cross-Site Scripting (XSS) vulnerability in Zurmo Stable 3.1.1, assigned CVE-2017-7188. No exploit code or technical details are provided beyond the CVE reference.

Description

Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.

Exploits (1)

nomisec WRITEUP 2 stars

by faizzaidi · poc

https://github.com/faizzaidi/Zurmo-Stable-3.1.1-XSS-By-Provensec-LLC

View Code ZIP pw:eip

This repository contains a README file describing a Cross-Site Scripting (XSS) vulnerability in Zurmo Stable 3.1.1, assigned CVE-2017-7188. No exploit code or technical details are provided beyond the CVE reference.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Theoretical

Target: Zurmo Stable 3.1.1

No auth needed

Prerequisites: Access to a vulnerable Zurmo instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://bitbucket.org/zurmo/zurmo/issues/426/to-report-a-xss-security-vulnerability-in

Exploit, Third Party Advisory x_refsource_misc

https://github.com/faizzaidi/Zurmo-Stable-3.1.1-XSS-By-Provensec-LLC

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/97681

Scores

CVSS v3 5.4

EPSS 0.0139

EPSS Percentile 68.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

zurmo/zurmo_crm < 3.1.1

Published Apr 14, 2017

Tracked Since Feb 18, 2026