PT-2022-24595 · Espocrm · Espocrm
Published
2022-09-16
·
Updated
2024-03-06
·
CVE-2022-38845
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
EspoCRM version 7.1.8
Description
The issue allows remote users to run malicious JavaScript in a victim's browser via sending a crafted CSV file containing malicious JavaScript to an authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScript in the browser.
Recommendations
For EspoCRM version 7.1.8, update to a version that fixes the Cross Site Scripting issue in the Import feature to prevent malicious JavaScript execution.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Espocrm