CVE-2024-46367 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2024-46367?

CVE-2024-46367 has a CVSS score of 9.6 (CRITICAL). A stored cross-site scripting vulnerability in Webkul Krayin CRM 1.3.0 allows attackers to inject malicious JavaScript via the username field. When executed, this can lead to privilege escalation and unauthorized access to CRM functions. All users running the vulnerable version are affected.

📋 TL;DR

A stored cross-site scripting vulnerability in Webkul Krayin CRM 1.3.0 allows attackers to inject malicious JavaScript via the username field. When executed, this can lead to privilege escalation and unauthorized access to CRM functions. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Webkul Krayin CRM

Versions: 1.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation with no special configuration required.

📦 What is this software?

Krayin Crm by Webkul

View all CVEs affecting Krayin Crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, data theft, and persistent backdoor access to the CRM.

🟠

Likely Case

Session hijacking, data manipulation, and unauthorized access to sensitive customer information.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but payload execution is straightforward once injected.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of username field inputs to strip or encode malicious characters.

Content Security Policy

all

Implement a strict Content Security Policy header to prevent execution of inline scripts.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement web application firewall rules to block XSS payloads in username fields.
Disable or restrict user registration functionality if not essential.

🔍 How to Verify

Check if Vulnerable:

Test by attempting to inject JavaScript payload into username field and checking if it executes when viewed.

Check Version:

Check CRM version in admin panel or configuration files.

Verify Fix Applied:

Verify that JavaScript payloads in username fields are properly sanitized and do not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual username entries containing script tags or JavaScript code
Multiple failed login attempts with suspicious usernames

Network Indicators:

HTTP requests with username parameters containing script tags or JavaScript

SIEM Query:

source="web_logs" AND (username="*<script>*" OR username="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-46367

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: September 27, 2024

Last Updated: July 9, 2025

🔗 References

https://gist.github.com/Tommywarren/4ac0c8f6e5d8584accd31b8277e55749 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46367, you might also want to check these: