Description
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions.

The vulnerable code is:

if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']);

An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.

The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.
Published: 2026-04-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting allowing credential theft or account takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the Zadarma telephony API of Rukovoditel CRM. An attacker can supply arbitrary content via the zd_echo GET parameter, which the application returns unchanged. When a victim opens a crafted URL, the injected script runs in the context of the application, permitting session hijacking, credential theft, phishing or account takeover. This is a classic input‑validation weakness, CWE‑79.

Affected Systems

The flaw affects Rukovoditel CRM versions 3.6.4 and earlier. The vulnerable endpoint is /api/tel/zadarma.php.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is classified as Critical. No EPSS data is available and it is not listed in CISA’s KEV. The issue is exploitable without authentication through a simple URL, making it highly likely to be leveraged by attackers. Immediate action is required.

Generated by OpenCVE AI on April 11, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Rukovoditel CRM patch by upgrading to version 3.7 or later.

Generated by OpenCVE AI on April 11, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Rukovoditel CRM Zadarma API permits session hijacking

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Rukovoditel
Rukovoditel rukovoditel
Vendors & Products Rukovoditel
Rukovoditel rukovoditel

Sat, 11 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type enforcement. The vulnerability is caused by the following code: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); This results in arbitrary JavaScript execution in the context of the victim's browser when a crafted URL is visited. An attacker can exploit this issue by sending a malicious link such as: https://TARGET/api/tel/zadarma.php?zd_echo=<script>alert('XSS')</script> When a victim clicks the link, the payload executes in the application context, enabling session theft, phishing, and potential account takeover if sensitive users are targeted. A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

 cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H'}

Sat, 11 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description A pre-authenticated reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type enforcement. The vulnerability is caused by the following code: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); This results in arbitrary JavaScript execution in the context of the victim's browser when a crafted URL is visited. An attacker can exploit this issue by sending a malicious link such as: https://TARGET/api/tel/zadarma.php?zd_echo=<script>alert('XSS')</script> When a victim clicks the link, the payload executes in the application context, enabling session theft, phishing, and potential account takeover if sensitive users are targeted.
Weaknesses CWE-79
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:N'}

cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Rukovoditel Rukovoditel
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-04-13T17:44:03.965Z

Reserved: 2026-03-09T18:20:23.398Z

Link: CVE-2026-31845

cve-icon Vulnrichment

Updated: 2026-04-13T17:43:59.274Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-11T19:16:28.537

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-31845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:32Z

Weaknesses