Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A cross-site scripting (XSS) vulnerability in the component /Login.php of c3crm up to v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login_error parameter.
AnalysisAI
CVE-2023-44915 is a reflected cross-site scripting (XSS) vulnerability in c3crm's /Login.php component affecting versions up to v3.0.4, where the login_error parameter fails to properly sanitize user input. An attacker can inject malicious JavaScript that executes in victims' browsers when they click a crafted login link, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of authenticated users. With a CVSS score of 7.1 and network-based attack vector requiring only user interaction, this represents a moderate-to-high severity issue for organizations using vulnerable c3crm deployments.
Technical ContextAI
This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a PHP-based CRM application. The /Login.php endpoint fails to encode or validate the login_error parameter before reflecting it back in HTML output, allowing an attacker to break out of the current context and inject arbitrary HTML/JavaScript. The vulnerability exists in the presentation layer where user-controlled input is rendered directly to the DOM without sanitization via htmlspecialchars(), htmlentities(), or context-appropriate output encoding. CPE for affected product: cpe:2.3:a:c3crm:c3crm:*:*:*:*:*:*:*:* (versions <=3.0.4). This is a parameter-based injection flaw common in legacy PHP applications that predate secure coding frameworks.
RemediationAI
Upgrade c3crm to version 3.0.5 or later immediately. Contact c3crm vendor or check https://c3crm.com (official vendor site) for security updates. Code-Level Mitigation: In /Login.php, apply context-appropriate output encoding to the login_error parameter: replace unencoded output with htmlspecialchars($login_error, ENT_QUOTES, 'UTF-8') or use a templating engine with auto-escaping (Twig, Blade). Input Validation: Validate and sanitize the login_error parameter server-side: whitelist acceptable characters, enforce maximum length, reject special characters if not required. Content Security Policy: Implement strict CSP headers (e.g., Content-Security-Policy: default-src 'self'; script-src 'self') to mitigate XSS impact even if filtering fails. Workaround (Temporary): If immediate patching is impossible: (1) Restrict access to /Login.php via WAF/firewall rules, (2) Implement rate limiting on login endpoints, (3) Monitor for suspicious login_error parameter patterns, (4) Use reverse proxy to strip or sanitize the parameter.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2023-49238