CVE-2019-14547

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 5.6.9

Description An issue allows stored XSS execution when an attacker sends an attachment with malicious JavaScript in the filename to an admin. This JavaScript is executed when the admin selects the particular file from the list of all attachments, potentially allowing the attacker to steal victims' cookies and compromise their accounts.

Recommendations For versions prior to 5.6.9, update to version 5.6.9 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload attachments with potentially malicious filenames until a patch is applied. Avoid using the attachment feature with untrusted sources until the issue is resolved.