This exploit demonstrates a stored XSS vulnerability in OroCRM where an attacker can inject malicious JavaScript into the email field of a lead, which executes when viewed. The payload uses an img tag with an onerror event to trigger a confirm dialog.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:OroCRM (version not specified)
Auth required
Prerequisites:Access to create or edit a lead in OroCRM