CVE-2023-44915

Vulnerability

Details

The vulnerability resides in the /Login.php component of c3crm (also known as Yike CRM) versions up to 3.0.4. The login_error parameter, received via a GET request, is directly echoed into the HTML response without proper sanitization or encoding [2][3]. This lack of output encoding allows an attacker to inject arbitrary JavaScript or HTML.

Exploitation

Exploitation requires no authentication; an attacker can craft a malicious URL containing a payload in the login_error parameter. For example, ?login_error=<script>alert("xss");</script> triggers the script execution in the victim's browser when the link is visited [3]. The attack is reflected, meaning the payload is not stored on the server but delivered via the crafted link.

Impact

Successful exploitation enables an attacker to execute arbitrary web scripts in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Given that c3crm is used by over 10,000 companies, primarily in China, the potential for widespread impact is significant [1][3].

Mitigation

As of the publication date, no official patch has been announced for versions up to 3.0.4. Mitigation recommendations include implementing proper input sanitization and output encoding for the login_error parameter, as well as deploying a Web Application Firewall (WAF) to filter malicious payloads [3]. Users should monitor the vendor's repository for updates.