Vulnerability Summary: Vtiger CRM v8.4.0 Reflected XSS Overview CVE ID: CVE-2025-70936 Vulnerability Type: Reflected Cross-Site Scripting (Reflected XSS) Affected Module: MailManager Root Cause: In the operation of the module, the parameter improperly handles user-controllable input, allowing reflection and execution of malicious payloads that are double URL-encoded. Impact Scope Affected Version: Vtiger CRM v8.4.0 Impact Description: An attacker can execute arbitrary JavaScript code within the session context of an authenticated user, potentially leading to session hijacking. Remediation No specific fix code or patch information is provided on the page. It is recommended to implement strict input validation and output encoding for the parameter. Reproduction Steps (POC) 1. In Vtiger CRM, navigate to Mail Manager: 2. Click Inbox and intercept the request using tools such as Burp Suite. 3. Locate the parameter at the bottom of the request. 4. Modify the parameter value to: 5. Forward the request and observe JavaScript execution (cookie alert) in the browser.