CVE-2020-35705

Vulnerability

Daybyday CRM version 2.1.0 contains a stored cross-site scripting (XSS) vulnerability in the Name parameter of the New User screen. An attacker with access to create users can inject arbitrary JavaScript code into the Name field. This code is stored in the database and executed when other users view the affected user's name, for example in user lists or profiles. The vulnerability is present in version 2.1.0 as described in the CVE [1].

Exploitation

To exploit this vulnerability, an attacker must have the ability to create new users in the Daybyday CRM application (typically an administrator or user with user management permissions). The attacker enters a malicious payload, such as ``, into the Name field during user creation. No additional user interaction is required beyond the victim viewing the stored name. The payload is executed in the victim's browser when the page renders the user's name.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft (e.g., CSRF tokens, cookies), unauthorized actions performed on behalf of the victim, or defacement of the application. The attacker gains the same privileges as the victim user, potentially escalating to full administrative control if the victim is an admin.

Mitigation

The vulnerability exists in Daybyday CRM version 2.1.0. The vendor has released versions 2.2.0 and 2.2.1 [1], but the release notes do not explicitly mention a fix for this XSS issue. Users should upgrade to the latest available version (2.2.1) and verify that the Name parameter is properly sanitized. If no patch is confirmed, input validation and output encoding should be applied to the Name field as a workaround. No CISA KEV listing is known at this time.