CVE-2019-13643

Name of the Vulnerable Software and Affected Versions EsponCRM versions prior to 5.6.4

Description The issue allows remote attackers to execute malicious JavaScript and inject arbitrary source code into target pages through a stored XSS attack. This attack involves storing a new stream message containing an XSS payload, which can then be triggered by clicking a malicious link on the Notifications page.

Recommendations For versions prior to 5.6.4, update to version 5.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Notifications page and stream messages to minimize the risk of exploitation.