A security vulnerability has been identified in Krayin CRM <=2.1.0 that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file.# CVE-2025-3568
# Privilege Escalation via Malicious SVG File
## Summary
A security vulnerability has been identified in **Krayin CRM 2.1.0** that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file. This exploit leverages **Cross-Site Request Forgery (CSRF)** and **Cross-Site Scripting (XSS)** via SVG to:
- Steal the admin’s **XSRF token** from cookies.
- Change the admin’s password without knowing the current password via an **unprotected API endpoint**.
This could lead to **full admin account takeover** and **data breaches**.
---
## Technical Details
### Vulnerability Type
- **CSRF + XSS via SVG File Upload** (Stored Client-Side Attack)
- **Broken Access Control** (Password Change Without Current Password)
### Affected Component
- **User Management Module** (`/admin/settings/users/edit/[ID]`)
- **File Upload/Email Attachment Handling** (SVG with embedded JavaScript)
### Attack Flow
1. **Attacker (low-privilege user)** sends an email with a **malicious SVG attachment** to an admin.
2. **Admin opens the SVG file** in a new tab.
3. **JavaScript inside the SVG executes**, harvesting the admin's `XSRF-TOKEN` cookie.
4. A **forged POST request** is sent to the CRM’s user management endpoint, changing the admin’s password.
5. **Attacker gains full admin access** using the new password.
---
## Proof of Concept (PoC)
- **Screen recording of the exploit in action:**
https://github.com/user-attachments/assets/36f5f5ec-d7f1-4ea8-aa78-f1be396e13d3
- **Malicious SVG file:** svgxss.svg
---
## Impact
- **Full Admin Account Takeover:** Attacker can reset the admin password and log in.
- **Data Breach:** Access to sensitive CRM data (customer info, transactions, etc.).
- **Persistence:** Attacker can create **backdoor accounts** or modify system settings.
---
## Root Cause Analysis
### Missing SVG Sanitization
- The CRM allows **SVG files with embedded JavaScript**, enabling XSS.
### Broken Password Change Logic
- The `/admin/settings/users/edit` endpoint **does not enforce current password verification**.
---
## Conclusion
This vulnerability poses a **critical risk** to the CRM’s security, allowing attackers to **hijack admin accounts** with minimal effort. Immediate action is required to **patch the issue** and **prevent exploitation**.
---
## References
- https://nvd.nist.gov/vuln/detail/CVE-2025-3568
- https://vuldb.com/?id.304609
[4.0K] /data/pocs/db380be0f1d28231e49805822795786bd42113e8
├── [2.4K] README.md
└── [2.0K] svgxss.svg
0 directories, 2 files