Stored XSS in EspoCRM Affects Email Functionality
CVE-2019-14546

5.4MEDIUM

Key Information:

Vendor

Espocrm

Status
Espocrm
Vendor
CVE Published:
5 August 2019

What is CVE-2019-14546?

EspoCRM versions prior to 5.6.9 are susceptible to a stored XSS vulnerability allowing attackers to inject malicious JavaScript into email signatures. When victims receive and interact with an infected email, their cookies may be compromised, leading to unauthorized account access. The vulnerability originates from improper handling of input on the Preference page, particularly when malicious payloads are inserted into the Email Signature field.

References

https://github.com/espocrm/espocrm/commit/ffd3f762ce4a8de...
x_refsource_MISC
https://github.com/espocrm/espocrm/releases/tag/5.6.9
x_refsource_MISC
https://github.com/espocrm/espocrm/issues/1369
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.