Iframe Dashlet Vulnerability in EspoCRM by EspoCRM
CVE-2025-32385

6.5MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 16 April 2025

What is CVE-2025-32385?

EspoCRM, an open-source Customer Relationship Management software, is affected by a vulnerability in the iframe dashlet prior to version 9.0.5. This vulnerability allows users to display iframes with arbitrary URLs without enforcing the sandbox attribute, potentially enabling the remote page to open popups outside of the iframe. This could trick users and pose a phishing risk, as attackers may convince users to input a malicious URL. Additionally, while the remote page could send messages to the parent frame, EspoCRM does not utilize these messages. Users are advised to upgrade to version 9.0.5 or later to mitigate this risk.

Affected Version(s)

espocrm < 9.0.5

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2025

Espocrm

What is CVE-2025-32385?

Affected Version(s)

References

CVSS V3.1

Timeline