Skip to main content

CVE-2025-45755: n/a

Medium
VulnerabilityCVE-2025-45755cvecve-2025-45755
Published: Wed May 21 2025 (05/21/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.

AI-Powered Analysis

AILast updated: 07/07/2025, 12:26:39 UTC

Technical Analysis

CVE-2025-45755 is a Stored Cross-Site Scripting (XSS) vulnerability identified in Vtiger CRM Open Source Edition version 8.3.0. The vulnerability arises from improper sanitization of user input during the import of Services via CSV files. Specifically, an attacker can craft a malicious CSV file containing an XSS payload embedded in the 'Service Name' field. When this file is uploaded through the Services Import feature, the application fails to properly sanitize the input, resulting in persistent script execution within the context of the affected web application. This persistent XSS allows an attacker to execute arbitrary JavaScript code in the browsers of users who view the affected service entries, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without privileges, requires user interaction (such as an authenticated user viewing the malicious content), and impacts confidentiality and integrity with a scope change, but does not affect availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input leading to XSS.

Potential Impact

For European organizations using Vtiger CRM Open Source Edition 8.3.0, this vulnerability poses a significant risk to the confidentiality and integrity of their CRM data and user sessions. Since CRM systems often contain sensitive customer information, contact details, and business-critical data, exploitation could lead to unauthorized data disclosure or manipulation. Persistent XSS can also facilitate phishing attacks within the organization by injecting malicious scripts that alter the user interface or redirect users to fraudulent sites. The scope change indicated by the CVSS vector means that the vulnerability can affect components beyond the initially targeted service import feature, potentially compromising other parts of the CRM application. This could disrupt business operations and damage trust with clients and partners. Although no availability impact is noted, the reputational damage and potential regulatory implications under GDPR for data breaches involving personal data could be substantial. The requirement for user interaction (viewing the malicious entry) means that social engineering or insider threat vectors could be leveraged by attackers.

Mitigation Recommendations

European organizations should implement the following specific mitigations: 1) Immediately restrict or disable the Services Import feature in Vtiger CRM 8.3.0 until a patch is available. 2) Implement strict input validation and sanitization on CSV import functionality, especially for fields that accept free text such as 'Service Name'. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the CRM web interface. 4) Conduct user training to recognize suspicious entries or unexpected behavior within the CRM. 5) Monitor logs for unusual import activities or repeated failed attempts to upload CSV files. 6) If possible, upgrade to a patched or newer version of Vtiger CRM once available. 7) Use web application firewalls (WAFs) with rules targeting XSS payload patterns to provide an additional layer of defense. 8) Regularly audit CRM user permissions to minimize exposure and ensure only trusted users can perform imports. These measures go beyond generic advice by focusing on the specific attack vector and operational context of the vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-04-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682e44190acd01a24924ee8b

Added to database: 5/21/2025, 9:22:33 PM

Last enriched: 7/7/2025, 12:26:39 PM

Last updated: 8/9/2025, 9:47:42 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats