CVE-2019-14546

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 5.6.9

Description The issue allows for stored XSS execution on the Preference page and when sending an email. This occurs when a malicious payload is inserted inside the Email Signature in the Preference page. An attacker can insert malicious JavaScript inside their email signature, which is executed when the victim replies or forwards the mail, potentially allowing the attacker to steal victims' cookies and compromise their accounts.

Recommendations For versions prior to 5.6.9, update to version 5.6.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Email Signature feature in the Preference page until the update is applied. Avoid using potentially malicious email signatures until the issue is resolved.