CVE-2025-3568 PoC — Webkul Krayin CRM SVG File edit cross site scripting

Source

https://github.com/shellkraft/CVE-2025-3568

Associated Vulnerability

Title:Webkul Krayin CRM SVG File edit cross site scripting (CVE-2025-3568)
Description:A vulnerability has been found in Webkul Krayin CRM up to 2.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/settings/users/edit/ of the component SVG File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor prepares a fix for the next major release and explains that he does not think therefore that this should qualify for a CVE.

Description

A security vulnerability has been identified in Krayin CRM <=2.1.0 that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file.

Readme

# CVE-2025-3568
# Privilege Escalation via Malicious SVG File

## Summary

A security vulnerability has been identified in **Krayin CRM 2.1.0** that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file. This exploit leverages **Cross-Site Request Forgery (CSRF)** and **Cross-Site Scripting (XSS)** via SVG to:

- Steal the admin’s **XSRF token** from cookies.
- Change the admin’s password without knowing the current password via an **unprotected API endpoint**.

This could lead to **full admin account takeover** and **data breaches**.

---

## Technical Details

### Vulnerability Type
- **CSRF + XSS via SVG File Upload** (Stored Client-Side Attack)
- **Broken Access Control** (Password Change Without Current Password)

### Affected Component
- **User Management Module** (`/admin/settings/users/edit/[ID]`)
- **File Upload/Email Attachment Handling** (SVG with embedded JavaScript)

### Attack Flow
1. **Attacker (low-privilege user)** sends an email with a **malicious SVG attachment** to an admin.
2. **Admin opens the SVG file** in a new tab.
3. **JavaScript inside the SVG executes**, harvesting the admin's `XSRF-TOKEN` cookie.
4. A **forged POST request** is sent to the CRM’s user management endpoint, changing the admin’s password.
5. **Attacker gains full admin access** using the new password.

---

## Proof of Concept (PoC)

- **Screen recording of the exploit in action:**  



https://github.com/user-attachments/assets/36f5f5ec-d7f1-4ea8-aa78-f1be396e13d3


- **Malicious SVG file:** svgxss.svg  

---

## Impact
- **Full Admin Account Takeover:** Attacker can reset the admin password and log in.
- **Data Breach:** Access to sensitive CRM data (customer info, transactions, etc.).
- **Persistence:** Attacker can create **backdoor accounts** or modify system settings.

---

## Root Cause Analysis

### Missing SVG Sanitization
- The CRM allows **SVG files with embedded JavaScript**, enabling XSS.

### Broken Password Change Logic
- The `/admin/settings/users/edit` endpoint **does not enforce current password verification**.

---

## Conclusion
This vulnerability poses a **critical risk** to the CRM’s security, allowing attackers to **hijack admin accounts** with minimal effort. Immediate action is required to **patch the issue** and **prevent exploitation**.

---

## References

- https://nvd.nist.gov/vuln/detail/CVE-2025-3568
- https://vuldb.com/?id.304609

File Snapshot


 [4.0K]  /data/pocs/db380be0f1d28231e49805822795786bd42113e8
├── [2.4K]  README.md
└── [2.0K]  svgxss.svg

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!