Arbitrary IP/Domain Redirection Vulnerability in EspoCRM Could Lead to Credential Stealing
CVE-2024-24818

5.9MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 21 March 2024

What is CVE-2024-24818?

EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.

Affected Version(s)

espocrm < 8.1.2

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/espocrm/espocrm/commit/3babdfa3399e328...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Jan 31, 2024

Espocrm

What is CVE-2024-24818?

Affected Version(s)

References

CVSS V3.1

Timeline