CVE-2019-14350

Name of the Vulnerable Software and Affected Versions EspoCRM version 5.6.4

Description The issue is related to stored XSS due to the lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during the "/api/v1/KnowledgeBaseArticle" API endpoint for knowledge-base record creation.

Recommendations For EspoCRM version 5.6.4, as a temporary workaround, consider validating and sanitizing user input for the body parameter in the "/api/v1/KnowledgeBaseArticle" API endpoint to prevent JavaScript code injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.