A security vulnerability has been identified in Krayin CRM 2.1.0 that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file. This exploit leverages Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) via SVG to:
- Steal the admin’s XSRF token from cookies.
- Change the admin’s password without knowing the current password via an unprotected API endpoint.
This could lead to full admin account takeover and data breaches.
- CSRF + XSS via SVG File Upload (Stored Client-Side Attack)
- Broken Access Control (Password Change Without Current Password)
- User Management Module (
/admin/settings/users/edit/[ID]) - File Upload/Email Attachment Handling (SVG with embedded JavaScript)
- Attacker (low-privilege user) sends an email with a malicious SVG attachment to an admin.
- Admin opens the SVG file in a new tab.
- JavaScript inside the SVG executes, harvesting the admin's
XSRF-TOKENcookie. - A forged POST request is sent to the CRM’s user management endpoint, changing the admin’s password.
- Attacker gains full admin access using the new password.
- Screen recording of the exploit in action:
krayin.mp4
- Malicious SVG file: svgxss.svg
- Full Admin Account Takeover: Attacker can reset the admin password and log in.
- Data Breach: Access to sensitive CRM data (customer info, transactions, etc.).
- Persistence: Attacker can create backdoor accounts or modify system settings.
- The CRM allows SVG files with embedded JavaScript, enabling XSS.
- The
/admin/settings/users/editendpoint does not enforce current password verification.
This vulnerability poses a critical risk to the CRM’s security, allowing attackers to hijack admin accounts with minimal effort. Immediate action is required to patch the issue and prevent exploitation.