CVE-2019-14331

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 5.6.6

Description An issue exists due to the lack of filtration of user-supplied data in the Create User function, allowing stored XSS. A malicious attacker can modify the firstName and lastName fields to contain JavaScript code.

Recommendations For versions prior to 5.6.6, update to version 5.6.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability to modify user fields, especially firstName and lastName, to prevent potential exploitation.