Stored Cross-Site Scripting in EspoCRM Affects User Security
CVE-2019-14550

5.4MEDIUM

Key Information:

Vendor

Espocrm

Status
Espocrm
Vendor
CVE Published:
5 August 2019

What is CVE-2019-14550?

EspoCRM versions prior to 5.6.9 are vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Edit Dashboard feature on the Homepage. This vulnerability allows attackers to inject malicious JavaScript into the add tab list feature. When a user clicks on the Edit Dashboard button, the injected script executes, which can result in the theft of user cookies and potentially compromise their accounts. Users are advised to upgrade to version 5.6.9 or later to mitigate this security risk.

References

https://github.com/espocrm/espocrm/commit/ffd3f762ce4a8de...
x_refsource_MISC
https://github.com/espocrm/espocrm/releases/tag/5.6.9
x_refsource_MISC
https://github.com/espocrm/espocrm/issues/1369
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.