CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. The _folder parameter does not properly sanitize user-controlled input, allowing a specially crafted double URL-encoded payload to be reflected back to the user's browser. This flaw arises from insufficient output encoding when the parameter is echoed into the page.

An attacker must be authenticated to trigger the vulnerability. By crafting a malicious link containing the double URL-encoded payload in the _folder parameter and tricking a victim into clicking it, the attacker can execute arbitrary JavaScript in the context of the victim's session. No other authentication or network position is required beyond having a valid session.

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as accessing sensitive data, modifying CRM records, or initiating unauthorized transactions. Since the XSS is reflected, the payload is not stored on the server, but the impact can still be severe due to the full access of the authenticated session.

As of this writing, Vtiger has not released a specific security advisory for this issue [1]. Users of version 8.4.0 should consider upgrading to a newer version if a patch is available, or apply input validation and output encoding as a workaround. The vendor's open-source CRM page highlights version 8.4.0's features, but does not mention any security fixes related to this vulnerability.