Iframe Dashlet Vulnerability in EspoCRM by EspoCRM
CVE-2025-32385

5.3MEDIUM

Key Information:

Vendor
Espocrm
Status
Espocrm
Vendor
CVE Published:
16 April 2025

Summary

EspoCRM, an open-source Customer Relationship Management software, is affected by a vulnerability in the iframe dashlet prior to version 9.0.5. This vulnerability allows users to display iframes with arbitrary URLs without enforcing the sandbox attribute, potentially enabling the remote page to open popups outside of the iframe. This could trick users and pose a phishing risk, as attackers may convince users to input a malicious URL. Additionally, while the remote page could send messages to the parent frame, EspoCRM does not utilize these messages. Users are advised to upgrade to version 9.0.5 or later to mitigate this risk.

Affected Version(s)

espocrm < 9.0.5

References

https://github.com/espocrm/espocrm/security/advisories/GH...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2025-32385 : Iframe Dashlet Vulnerability in EspoCRM by EspoCRM | SecurityVulnerability.io