{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rukovoditel-crm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-31845"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Rukovoditel CRM"],"_cs_severities":["high"],"_cs_tags":["rukovoditel","xss","cve-2026-31845","web-application"],"_cs_type":"advisory","_cs_vendors":["Rukovoditel"],"content_html":"\u003cp\u003eRukovoditel CRM version 3.6.4 and earlier is vulnerable to a reflected cross-site scripting (XSS) attack. This vulnerability resides in the Zadarma telephony API endpoint (/api/tel/zadarma.php), where the application unsafely reflects the 'zd_echo' GET parameter directly into the HTTP response. This direct reflection, without proper sanitization, output encoding, or content-type restrictions, allows for the injection of arbitrary JavaScript code. An unauthenticated attacker can craft malicious URLs containing XSS payloads to exploit this vulnerability. The vulnerability was reported on 2026-04-11. Rukovoditel CRM is a web-based application, making this a potentially widespread vulnerability affecting any installations running the vulnerable version. Defenders should prioritize patching and implement mitigations to prevent exploitation. The vulnerability is fixed in version 3.7.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a JavaScript payload within the \u003ccode\u003ezd_echo\u003c/code\u003e GET parameter, targeting the \u003ccode\u003e/api/tel/zadarma.php\u003c/code\u003e endpoint. For example: \u003ccode\u003e/api/tel/zadarma.php?zd_echo=\u0026lt;script\u0026gt;alert('XSS')\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL via email, social media, or other channels to a potential victim.\u003c/li\u003e\n\u003cli\u003eThe victim, unaware of the malicious intent, clicks on the crafted URL.\u003c/li\u003e\n\u003cli\u003eThe victim's browser sends an HTTP GET request to the Rukovoditel CRM server, including the malicious \u003ccode\u003ezd_echo\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Rukovoditel CRM server receives the request and, due to the vulnerability, directly reflects the JavaScript payload from the \u003ccode\u003ezd_echo\u003c/code\u003e parameter into the HTTP response without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe server sends the HTTP response containing the attacker's JavaScript payload back to the victim's browser. The Content-Type of the response may not be properly set to prevent script execution.\u003c/li\u003e\n\u003cli\u003eThe victim's browser executes the injected JavaScript code within the context of the Rukovoditel CRM application.\u003c/li\u003e\n\u003cli\u003eThe attacker's JavaScript payload can then perform actions such as stealing cookies, redirecting the user to a phishing site, or modifying the content of the page. This can lead to session hijacking, credential theft, or account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reflected XSS vulnerability can have severe consequences. An attacker can hijack user sessions, potentially gaining unauthorized access to sensitive data within the Rukovoditel CRM system. Credential theft is also possible, allowing the attacker to directly compromise user accounts. Furthermore, the attacker could use the XSS vulnerability to redirect users to phishing sites, tricking them into revealing their login credentials or other personal information. Account takeover could lead to complete control over the CRM data, affecting customer relationships and business operations. While the specific number of victims is unknown, any organization using Rukovoditel CRM version 3.6.4 or earlier is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Rukovoditel CRM to version 3.7 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Rukovoditel CRM XSS Attempt\u003c/code\u003e to monitor for exploitation attempts targeting the \u003ccode\u003e/api/tel/zadarma.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter requests containing potentially malicious JavaScript payloads in the \u003ccode\u003ezd_echo\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eEnable proper input validation and output encoding on all user-supplied input fields within the Rukovoditel CRM application, following secure coding practices to prevent future XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of clicking on suspicious links and the importance of verifying the authenticity of URLs before visiting them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rukovoditel-xss/","summary":"A reflected XSS vulnerability in Rukovoditel CRM version 3.6.4 and earlier allows unauthenticated attackers to inject malicious JavaScript by reflecting the 'zd_echo' GET parameter, leading to potential session hijacking and account takeover.","title":"Rukovoditel CRM Reflected XSS Vulnerability (CVE-2026-31845)","url":"https://feed.craftedsignal.io/briefs/2024-01-rukovoditel-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Rukovoditel CRM","version":"https://jsonfeed.org/version/1.1"}