Eine reflektierte Cross-Site Scripting (XSS) Schwachstelle existiert in Rukovoditel CRM Version 3.6.4 und früher in dem Zadarma Telefonie API Endpunkt (/api/tel/zadarma.php). Die Anwendung reflektiert direkt

The vulnerability lies within the Zadarma telephony API endpoint (/api/tel/zadarma.php) where the 'zd_echo' GET parameter is directly reflected into the HTTP response without proper sanitization. An attacker can craft a malicious URL containing JavaScript payloads. When a victim clicks this link, the payload executes in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or perform actions on their behalf. The potential impact includes account takeover, data theft, and defacement of the CRM interface. This XSS vulnerability could be leveraged to gain unauthorized access to sensitive customer data stored within the CRM system.

Organizations using Rukovoditel CRM versions 3.6.4 and earlier, particularly those relying on the Zadarma telephony integration, are at significant risk. Shared hosting environments where multiple customers share the same CRM instance are especially vulnerable, as a compromise of one customer could potentially impact others.

• php: Examine web server access logs for requests containing the 'zd_echo' parameter with unusual or obfuscated values.

grep 'zd_echo=[a-zA-Z0-9;,"'<>]' /var/log/apache2/access.log

• generic web: Use curl to test the endpoint with a simple JavaScript payload: curl 'http://your-crm-url/api/tel/zadarma.php?zd_echo=<script>alert("XSS")</script>' and check the response for the alert box. • generic web: Check response headers for Content-Type: text/html when the 'zd_echo' parameter is present, indicating potential lack of proper encoding.

1. 2026-04-11Disclosure

   disclosure

1. Reserviert2026-03-09
2. Veröffentlicht2026-04-11
3. Geändert2026-04-13
4. EPSS aktualisiert2026-04-19

The primary mitigation is to upgrade Rukovoditel CRM to version 3.7 or later, which contains the necessary fix. If upgrading immediately is not possible, implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the 'zdecho' parameter. Additionally, carefully review and sanitize all user-supplied input before reflecting it in the HTTP response. Consider implementing strict content security policy (CSP) headers to limit the sources from which scripts can be executed. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload via the 'zdecho' parameter and verifying that it is not executed.