CVE-2019-14349

Name of the Vulnerable Software and Affected Versions EspoCRM version 5.6.4

Description The issue is related to stored XSS due to the lack of filtration of user-supplied data in the "api/v1/Document" functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name, which will be executed when a user opens a page of any profile with this document.

Recommendations For EspoCRM version 5.6.4, consider disabling the "api/v1/Document" functionality until a patch is available to prevent the upload of crafted files that can lead to stored XSS attacks. Additionally, restrict access to the document storage feature in the account tab to minimize the risk of exploitation. Avoid using the api/v1/Document endpoint for storing documents until the issue is resolved.