CVE ID :CVE-2026-31845
Published : April 11, 2026, 6:26 p.m. | 42 minutes ago
Description :A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type enforcement. The vulnerability is caused by the following code: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); This results in arbitrary JavaScript execution in the context of the victim's browser when a crafted URL is visited. An attacker can exploit this issue by sending a malicious link such as: https://TARGET/api/tel/zadarma.php?zd_echo= When a victim clicks the link, the payload executes in the application context, enabling session theft, phishing, and potential account takeover if sensitive users are targeted.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
from Latest Vulnerabilities https://ift.tt/v5ye6L3
via IFTTT
Published : April 11, 2026, 6:26 p.m. | 42 minutes ago
Description :A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type enforcement. The vulnerability is caused by the following code: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); This results in arbitrary JavaScript execution in the context of the victim's browser when a crafted URL is visited. An attacker can exploit this issue by sending a malicious link such as: https://TARGET/api/tel/zadarma.php?zd_echo= When a victim clicks the link, the payload executes in the application context, enabling session theft, phishing, and potential account takeover if sensitive users are targeted.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
from Latest Vulnerabilities https://ift.tt/v5ye6L3
via IFTTT