Cross Site Scripting Vulnerability in EspoCRM by Espo Technologies
CVE-2022-38845

6.1MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 16 September 2022

What is CVE-2022-38845?

EspoCRM version 7.1.8 is susceptible to a Cross Site Scripting (XSS) vulnerability through its import feature. This vulnerability allows remote attackers to craft malicious CSV files containing JavaScript code. When an authenticated user imports such a file, the embedded JavaScript executes in their browser, potentially leading to unauthorized actions or data exposure. Proper input validation and sanitization measures should be implemented to prevent exploitation of this vulnerability.

References

https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 16, 2022
Vulnerability Reserved
Aug 29, 2022

Espocrm

What is CVE-2022-38845?

References

CVSS V3.1

Timeline