CVE-2017-18004

Step 1: Payload Delivery: The attacker crafts a malicious URL containing a specially crafted XSS payload within the latitude or longitude parameter of the maps/default/mapAndPoint endpoint. The payload is designed to execute arbitrary JavaScript code.

Step 2: User Interaction: The attacker either tricks a legitimate user into clicking the malicious URL or embeds the URL within a phishing email or a compromised website.

Step 3: Request Processing: When the user's browser accesses the malicious URL, the Zurmo application receives the request, including the attacker's XSS payload in the latitude or longitude parameter.

Step 4: Vulnerable Code Execution: The application's code fails to sanitize or encode the latitude or longitude parameter before rendering the map. The attacker's JavaScript payload is directly embedded into the HTML output.

Step 5: Payload Execution: The user's browser executes the injected JavaScript code. This code can perform various malicious actions, such as stealing session cookies, redirecting the user to a phishing site, or modifying the content of the page.

The vulnerability lies in the lack of proper input validation and output encoding for the latitude and longitude parameters within the Zurmo CRM application. Specifically, the application fails to sanitize user-supplied input before rendering it on the map display. This allows an attacker to inject arbitrary HTML and JavaScript code into these parameters. When a user views the map, the injected script executes within the context of the user's browser, enabling the attacker to perform actions on behalf of the user, such as stealing session cookies, redirecting the user to a phishing site, or modifying the content of the page. The root cause is a missing or inadequate implementation of input validation and output encoding (e.g., HTML escaping) when handling user-provided latitude and longitude values. The application directly uses the user-supplied input without sanitization, leading to the XSS vulnerability.