How White-Box hacking works: XSS in OroCRM

Recently, Lyhin’s Lab decided to take a more challenging application. OroCRM v4.1.6:

  1. Has 785 stars and 260 forks on Github
  2. PHP Symphony framework
  3. Is being actively maintained

And after a few hours of active researching, Darina Goncharenko found an XSS vulnerability.

Steps to reproduce

Severity: Medium

1. Log in as administrator and create a new product;
2. Fill the description field with payload using HTML encoding:
Example: <embed src=//>

3. Save changes and note the embedded script executes every time when the product is edited.


To mitigate similar issues, implement validation and output encoding for input parameters handled by the application.

We determine the overall security level of OroCRM application v4.1.6 as “High”. We were pleased by the conversation with OroCRM, they received our recommendation and took their 60 days to remediate this issue. We note, that we did not re-test this issue.

LL advises all the researchers to avoid breaking real applications illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich.