Stored XSS Flaw in EspoCRM Knowledge Base
CVE-2019-14350

6.1MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 28 July 2019

What is CVE-2019-14350?

EspoCRM version 5.6.4 contains a security vulnerability that allows for stored Cross-Site Scripting (XSS) attacks via inadequate filtration of user-supplied data. An attacker can exploit this vulnerability by injecting malicious JavaScript code into the body parameter when creating knowledge-base records through the API. This could lead to unauthorized execution of scripts in the context of the user's session, compromising user data and security.

References

https://github.com/espocrm/espocrm/issues/1356

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 28, 2019
Vulnerability Reserved
Jul 28, 2019

Espocrm

What is CVE-2019-14350?

References

CVSS V3.1

Timeline