VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 7, 2024· Updated Oct 7, 2024

CVE-2024-45932

CVE-2024-45932

Description

Krayin CRM v1.3.0 is vulnerable to Cross Site Scripting (XSS) via the organization name field in /admin/contacts/organizations/edit/2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
krayin/laravel-crmPackagist
<= 1.3.0

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization and output escaping in the organization name field allows stored cross-site scripting."

Attack vector

An attacker with access to the organization name field on the "Edit Person" page can inject a persistent XSS payload. The payload is stored and later executed when any user views the associated person's page, because the organization name is reflected there without sanitization [CWE-79] [ref_id=1]. The attacker can use a payload such as `2">

Affected code

The vulnerable endpoint is `/admin/contacts/organizations/edit/2` (full path `/laravel-crm/admin/contacts/organizations/edit/2`). The organization name field in the "Edit Person" page does not sanitize or escape user input before reflecting it on the associated person's page [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory recommends that the application properly sanitize or escape user input in the organization name field before reflecting it on the person's page [ref_id=1]. Without a fix, the stored XSS remains exploitable.

Preconditions

  • authAttacker must have access to the 'Edit Person' page at /admin/contacts/organizations/edit/2
  • inputThe application must not sanitize or escape the organization name field

Reproduction

1. Navigate to `/laravel-crm/admin/contacts/organizations/edit/2`. 2. In the "Organization" name field, insert the payload: `2">

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.