CVE-2019-14548

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 5.6.9

Description An issue allows stored XSS in the body of an Article, which is executed when a victim opens articles received through mail. The Article can be formed by an attacker using the Knowledge Base feature. The attacker could inject malicious JavaScript inside the body of the article to steal victims' cookies, thus compromising their accounts.

Recommendations For versions prior to 5.6.9, update to version 5.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Knowledge Base feature to minimize the risk of exploitation. Avoid using the Knowledge Base feature to form Articles until the issue is resolved.