An unauthenticated reflected cross-site scripting (XSS) vulnerability in Rukovoditel CRM poses a high risk of session hijacking and credential theft.

The Zadarma telephony API endpoint (/api/tel/zadarma.php) fails to sanitize the zd_echo GET parameter, allowing an unauthenticated attacker to inject arbitrary JavaScript that executes in the victim's browser.

With a CVSS score of 9.3, this vulnerability is critical. Attackers can exploit this to perform session hijacking, phishing attacks, or account takeovers, potentially leading to unauthorized access to sensitive CRM data and significant reputational damage.

Immediate Action: Upgrade Rukovoditel CRM to version 3.7 or later.

Proactive Monitoring: Review web server logs for suspicious requests to the Zadarma API endpoint containing script-like patterns.

Compensating Controls: Deploy a WAF with rules configured to detect and block reflected XSS attempts in URL parameters.

Public Exploit Available: False

Given the high CVSS score and the nature of XSS, organizations should prioritize upgrading to version 3.7 immediately to eliminate the injection vector.