Plataforma
php
Componente
sublime-crm
Corrigido em
20250207.0.1
CVE-2025-1360 describes a problematic cross-site scripting (XSS) vulnerability discovered in Sublime CRM versions up to 20250207. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the HTTP POST Request Handler within the /crm/inicio.php file. A fix is available in version 20250207.0.1.
Successful exploitation of CVE-2025-1360 allows an attacker to inject arbitrary JavaScript code into the Sublime CRM application. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the CRM interface. An attacker could potentially steal sensitive customer data stored within the CRM, such as contact information, sales records, and financial details. The impact is amplified if the CRM is integrated with other systems, as the attacker could potentially gain access to those systems as well. The vulnerability's remote accessibility increases the risk of widespread exploitation.
CVE-2025-1360 was publicly disclosed on 2025-02-16. The vendor, Internet Web Solutions, was contacted prior to disclosure but did not respond. As of this writing, there are no publicly known proof-of-concept exploits. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation, but the potential impact warrants immediate attention. It is not currently listed on CISA KEV.
Organizations using Sublime CRM, particularly those with sensitive customer data stored within the system, are at risk. Shared hosting environments where multiple clients share the same server instance are especially vulnerable, as a compromise of one client's CRM instance could potentially impact others. Legacy configurations with outdated security settings may also increase the risk.
• php: Examine /crm/inicio.php for unsanitized handling of the 'msg_to' parameter. Search for instances of echo or print statements directly outputting user input without proper encoding.
// Example of vulnerable code
<?php
echo $_POST['msg_to'];
?>• generic web: Monitor access logs for unusual POST requests to /crm/inicio.php with suspicious values in the 'msg_to' parameter. Look for patterns indicative of XSS payloads (e.g., <script>).
grep 'msg_to=[^a-zA-Z0-9]' /var/log/apache2/access.log• generic web: Check response headers for signs of XSS injection. Use browser developer tools to inspect the HTML source code for unexpected JavaScript code. • generic web: Use curl to test the endpoint with a simple XSS payload:
curl -X POST -d "msg_to=<script>alert('XSS')</script>" http://your-sublime-crm-url/crm/inicio.phpdisclosure
patch
Status do Exploit
EPSS
0.11% (percentil 30%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-1360 is to upgrade Sublime CRM to version 20250207.0.1 or later. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'msgto' parameter within the /crm/inicio.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies and procedures to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the 'msgto' parameter and verifying that it is properly sanitized.
Actualice Sublime CRM a una versión posterior a 20250207, si existe, que corrija la vulnerabilidad XSS. Si no hay una versión disponible, considere deshabilitar o eliminar el componente afectado (inicio.php) o implementar medidas de saneamiento de entrada para el parámetro msg_to en inicio.php para evitar la ejecución de código XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-1360 is a cross-site scripting (XSS) vulnerability in Sublime CRM versions up to 20250207, allowing attackers to inject malicious scripts.
You are affected if you are using Sublime CRM versions prior to 20250207.0.1.
Upgrade to Sublime CRM version 20250207.0.1 or later. Implement input validation and output encoding as a temporary workaround.
As of now, there are no publicly known active exploits for CVE-2025-1360, but the vulnerability remains a risk.
Refer to the Internet Web Solutions website or their security advisory page for the official advisory regarding CVE-2025-1360.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.