[] NeoSense
E X P L O I T S
title author type platform port cve id

OroCRM - Persistent Cross-Site Scripting

Author: Provensec
type: webapps
platform: php
port: 80.0
date_added: 2014-09-11 
date_updated: 2014-09-11 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comcrm-application.tar.gz
# Affected software: OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing!
# Discovered by: Provensec
# Website: http://www.provensec.com
# Author: Provensec Labs
# Type of vulnerability: XSS Stored
# Description:

1 Goto http://server add a new lead fill all the fields properly but Fill the email filed with xss payload  as given in the screenshot
http://prntscr.com/4lf043

payload used "><img src=d onerror=confirm(/provensec/);>

2 click save and close button

http://prntscr.com/4lf0ej
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.