PT-2019-13746 · Espocrm · Espocrm

Gauravnarwani97

Published

2019-08-05

Updated

2019-08-09

CVE-2019-14548

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 5.6.9

Description An issue allows stored XSS in the body of an Article, which is executed when a victim opens articles received through mail. The Article can be formed by an attacker using the Knowledge Base feature. The attacker could inject malicious JavaScript inside the body of the article to steal victims' cookies, thus compromising their accounts.

Recommendations For versions prior to 5.6.9, update to version 5.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Knowledge Base feature to minimize the risk of exploitation. Avoid using the Knowledge Base feature to form Articles until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-14548

Affected Products

Espocrm

PT-2019-13746 · Espocrm · Espocrm

CVE-2019-14548

Weakness Enumeration

Related Identifiers

Affected Products

References · 6