Erxes vulnerable to Cross-site Scripting

Vulnerability

Description

Erxes, an open-source experience operating system (XOS) that unifies marketing, sales, and support functions, contains a cross-site scripting (XSS) vulnerability in versions 0.22.3 and earlier. The flaw resides in the widget server component, specifically in how user-controlled input is rendered in the EJS template widget.ejs [4]. The code in widgets/server/index.ts does not properly sanitize or escape data before including it in the server-rendered view, allowing an attacker to inject arbitrary JavaScript into the page [3][1].

Exploitation

Vector

To exploit CVE-2021-32853, the attacker must deliver a crafted URL to a victim, either by embedding it in a phishing email, forum post, or redirecting the victim from a malicious site. The victim must be running a vulnerable instance of Erxes (≤ 0.22.3) and click on the malicious link. No authentication is required on the part of the attacker to craft the payload; the XSS triggers when the victim's browser renders the attacker-controlled input within the widget's server-rendered view [1][4].

Impact

If a victim visits the malicious link, the injected script executes in the context of the Erxes application domain. This enables the attacker to perform a range of client-side actions, such as stealing session cookies, modifying page content, or redirecting the user to further phishing pages. Since Erxes handles sensitive business data (CRM, marketing, support), successful exploitation could lead to data exposure or account takeover [1][2].

Mitigation

Status

The CVE advisory explicitly states that there are no known patches as of the publication date [1]. Users running affected versions should consider upgrading to a newer version if one becomes available, or apply mitigations such as strict Content Security Policy (CSP) headers and input validation on server-rendered templates until an official fix is released. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.