Yurikuzn

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5.

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4 Description An Insecure Direct Object Reference (IDOR) exists in the '/api/v1/Email/importEml' endpoint. The `fileId` parameter is used to fetch attachments from the repository without verifying if the current user is authorized to access them. Authenticated users with Email:create and Import permissions can read other users' .eml attachment contents by importing them into their own mailbox, which also results in the deletion of the original attachment record. Recommendations Update to version 9.3.4. As a temporary workaround, restrict access to the '/api/v1/Email/importEml' endpoint.