# Affected software: Zurmo CRM# Zurmo is an Open Source Customer Relationship Management (CRM)
application that is# mobile, social, and gamified. We use a test-driven methodology for
building every part of the # application.# Type of vulnerability: XSS Stored# URL: zurmo.com## Discovered by: Provensec# Website: http://www.provensec.com# Description: ZumoCRM is prone to a Persistent Cross Site Scripting attack
that allows a malicious user to inject HTML or scripts that can access any
cookies, session tokens,or other
sensitive information retained by your browser and used with that site.# Proof of concept# 1. Create a report as a Normal user# 2. Select module: Accounts# 3. Select filter: Name# 4. Select column Employees and as a value use: "><script>alert('XSS by
Provensec')</script># 5. Save the report and share it with other users to distribute your
malicious code.
