A security vulnerability has been identified in Krayin CRM 2.1.0 that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file. This exploit leverages Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) via SVG to:
- Steal the admin’s XSRF token from cookies.
- Change the admin’s password without knowing the current password via an unprotected API endpoint.
This could lead to full admin account takeover and data breaches.