OroCRM suffers from a persistent cross site scripting vulnerability.
OroCRM is an easy-to-use, open source CRM with built in marketing automation tools for your commerce business. It's the CRM built for both sales and marketing!
Type of vulnerability:
Proof of concept:
1. Goto http://server add a new lead fill all the fields properly but Fill the email filed with xss payload as given in the screenshot
2. payload used "><img src=d onerror=confirm(/provensec/);>
3. Click save and close button