Password Hash Disclosure in EspoCRM Software
CVE-2025-32789

3.7LOW

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 16 April 2025

What is CVE-2025-32789?

EspoCRM, an open-source Customer Relationship Management software, has a vulnerability that allows unauthorized access to user password hashes prior to version 9.0.7. Attackers can exploit this flaw by sorting users based on their password hashes, potentially revealing other users' hashed passwords. Although the risk is minimal, an attacker with knowledge of their own password hash can systematically change their password and sort again to expose other users' hashes, compromising account security. This vulnerability has been addressed in version 9.0.7.

Affected Version(s)

espocrm < 9.0.7

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/espocrm/espocrm/commit/91740192d2e2c57...

x_refsource_MISC

https://github.com/espocrm/espocrm/commit/bd900d0b48fe37a...

x_refsource_MISC

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2025

Espocrm

What is CVE-2025-32789?

Affected Version(s)

References

CVSS V3.1

Timeline