CVE-2026-31845
Deferred Deferred - Pending Action
Reflected XSS in Rukovoditel CRM Zadarma API Enables Account Hijack

Publication date: 2026-04-11

Last updated on: 2026-05-19

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31845
EUVD
EUVD-2026-21682
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rukovoditel crm to 3.7 (exc)
rukovoditel crm 3.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in Rukovoditel CRM version 3.6.4 and earlier, specifically in the Zadarma telephony API endpoint (/api/tel/zadarma.php).

The application takes user input from the 'zd_echo' GET parameter and directly outputs it in the HTTP response without sanitizing or encoding it properly.

An attacker can craft a malicious URL containing JavaScript code in this parameter. When a victim clicks the link, the malicious script runs in their browser within the context of the application.

This can lead to harmful actions such as session hijacking, stealing credentials, phishing attacks, or even account takeover.

The issue is fixed in version 3.7 by adding proper input validation and output encoding to prevent script injection.

Impact Analysis

If exploited, this vulnerability can allow attackers to execute malicious scripts in the victim's browser when they visit a crafted URL.

  • Session hijacking – attackers can steal session cookies to impersonate users.
  • Credential theft – attackers can capture login information.
  • Phishing – attackers can trick users into revealing sensitive information.
  • Account takeover – attackers can gain unauthorized access to user accounts.

Because the vulnerability requires no authentication to exploit, it poses a significant risk to users of affected versions.

Detection Guidance

This vulnerability can be detected by checking if the application reflects the 'zd_echo' GET parameter directly in the HTTP response without sanitization.

One way to test this is to send a crafted HTTP request to the vulnerable endpoint and observe if the input is reflected in the response.

  • Use curl to send a request with a test script payload: curl -i "http://<target>/api/tel/zadarma.php?zd_echo=<script>alert(1)</script>"
  • Check the HTTP response for the presence of the injected script tag without encoding or sanitization.

If the script is reflected and executed in a browser, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Rukovoditel CRM to version 3.7 or later, where the vulnerability is fixed by proper input validation and output encoding.

If upgrading is not immediately possible, consider implementing web application firewall (WAF) rules to block requests containing suspicious script payloads in the 'zd_echo' parameter.

Additionally, restrict access to the vulnerable endpoint if possible and monitor logs for suspicious requests targeting the 'zd_echo' parameter.

Compliance Impact

The vulnerability is a reflected cross-site scripting (XSS) issue that can lead to session hijacking, credential theft, phishing, or account takeover. Such security weaknesses can compromise the confidentiality and integrity of user data.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized access to personal or sensitive information can negatively impact compliance with these regulations, which require protection of user data and secure handling of personal information.

Therefore, if exploited, this vulnerability could lead to violations of data protection requirements under regulations such as GDPR and HIPAA due to potential unauthorized disclosure or misuse of personal data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31845. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart