CVE-2022-37178 An issue was discovered in 72crm 9.0

A user can inject any SQL code into the view function to run arbitrary SQL code on the database. For example, a hacker can inject the following query to delete all the tasks from the system: 1 UPDATE task SET status = '0' WHERE id = 1; If a user with SQL injection accesses the task table, then an attacker can delete all the tasks in the system. A hacker can exploit this SQL injection to perform various actions.

1. Exploiting the SQL injection to delete all the tasks in the system.

2. Exploiting the SQL injection to change all the tasks in the system.

3. Exploiting the SQL injection to add new tasks in the system.

4. Exploiting the SQL injection to edit the tasks in the system.

5. Exploiting the SQL injection to delete the tasks in the system.
In addition to SQL injection, 72crm 9.0 also has a XSS vulnerability. A user can inject any JavaScript code into the view function to execute arbitrary JavaScript code on the database. For example, a hacker can inject the following code to delete all the tasks: 1 delete $(input('input type="hidden" name="tasks">'))xss-vuln@XSS
The XSS vulnerability is also a critical vulnerability. It allows an attacker to inject any JavaScript code into the view function and then the hacker can run arbitrary JavaScript code on the database

72crm 9.0 Detection Instructions

72crm 9.0 has two vulnerabilities, both of which are critical. It is highly recommended that 72crm 9.0 be patched with the latest patch

72crm 9.0 has been identified as vulnerable to SQL injection and XSS attacks. It is recommended that users of 72crm 9.0 update to the latest patch or use a different database management system if available

72crm 9.0 - SQL Injection and XSS Vulnerabilities

Timeline

Published on: 08/24/2022 17:15:00 UTC
Last modified on: 08/29/2022 02:32:00 UTC

72crm 9.0 Detection Instructions

72crm 9.0 - SQL Injection and XSS Vulnerabilities

Timeline

References