EUVD-2026-21682
GHSA-hxff-cjjh-cmf4
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Description
A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type enforcement. The vulnerability is caused by the following code: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); This results in arbitrary JavaScript execution in the context of the victim's browser when a crafted URL is visited. An attacker can exploit this issue by sending a malicious link such as: https://TARGET/api/tel/zadarma.php?zd_echo=<script>alert('XSS')</script> When a victim clicks the link, the payload executes in the application context, enabling session theft, phishing, and potential account takeover if sensitive users are targeted.
Analysis
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Rukovoditel CRM 3.6.4 and isolate or restrict network access to the Zadarma API endpoint (/zadarma or equivalent). Within 7 days: Contact Rukovoditel vendor for patch timeline; if unavailable, implement Web Application Firewall (WAF) rules to block requests containing 'zd_echo' parameter or deploy reverse proxy filtering. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today