Stored XSS Vulnerability in EspoCRM Affected by Malicious JavaScript Execution
CVE-2019-13643

6.1MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 18 July 2019

What is CVE-2019-13643?

EspoCRM before version 5.6.4 contains a stored Cross-Site Scripting vulnerability that permits remote attackers to execute arbitrary JavaScript code. The exploit occurs when a new stream message containing an XSS payload is stored and subsequently activated by a user clicking on a malicious link within the Notifications page. This flaw can lead to significant security risks, including unauthorized actions and data exposure.

References

https://github.com/espocrm/espocrm/issues/1349

x_refsource_MISC

https://github.com/espocrm/espocrm/milestone/64?closed=1

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 18, 2019
Vulnerability Reserved
Jul 17, 2019

Espocrm

What is CVE-2019-13643?

References

CVSS V3.1

Timeline