CSV Injection in Create Contacts Feature of EspoCRM by EspoCRM
CVE-2022-38844

8HIGH

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 16 September 2022

What is CVE-2022-38844?

EspoCRM version 7.1.8 is susceptible to a CSV Injection vulnerability in its Create Contacts feature. This flaw allows remote authenticated users to craft malicious payloads while creating contacts. If an admin exports these contacts to a CSV file, they may inadvertently execute harmful system commands on their system, posing a significant security risk.

References

https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2022
Vulnerability Reserved
Aug 29, 2022

Espocrm

What is CVE-2022-38844?

References

CVSS V3.1

Timeline