Highyurikuzn

**Name of the Vulnerable Software and Affected Versions** EspoCRM versions prior to 9.3.4 **Description** The admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. This allows an authenticated admin to use path traversal sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to 'body.tpl' or 'subject.tpl' based on the web application user's filesystem permissions. **Recommendations** Update to version 9.3.4.