Iframe Dashlet Vulnerability in EspoCRM by EspoCRM
CVE-2025-32385
5.3MEDIUM
Key Information:
- Vendor
- Espocrm
- Status
- Espocrm
- Vendor
- CVE Published:
- 16 April 2025
Summary
EspoCRM, an open-source Customer Relationship Management software, is affected by a vulnerability in the iframe dashlet prior to version 9.0.5. This vulnerability allows users to display iframes with arbitrary URLs without enforcing the sandbox attribute, potentially enabling the remote page to open popups outside of the iframe. This could trick users and pose a phishing risk, as attackers may convince users to input a malicious URL. Additionally, while the remote page could send messages to the parent frame, EspoCRM does not utilize these messages. Users are advised to upgrade to version 9.0.5 or later to mitigate this risk.
Affected Version(s)
espocrm < 9.0.5
References
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published