Lucene search

[email protected]CVE-2024-24818

HistoryMar 21, 2024 - 2:52 a.m.

CVE-2024-24818

2024-03-2102:52:12

CWE-610

[email protected]

web.nvd.nist.gov

espocrm

open source

crm

software

vulnerability

fixed

cve-2024-24818

ip injection

domain injection

redirect

malicious page

5.9 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in “Password Change” page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.

Affected configurations

Vulners

Node

espocrmespocrmRange<8.1.2

VendorProductVersionCPE
espocrmespocrm*cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
espocrm	espocrm	*	cpe:2.3:a:espocrm:espocrm::::::::

CNA Affected

[
  {
    "vendor": "espocrm",
    "product": "espocrm",
    "versions": [
      {
        "version": "< 8.1.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/espocrm/espocrm/commit/3babdfa3399e328fb1bd83a1b4ed03d509f4c8e7

github.com/espocrm/espocrm/security/advisories/GHSA-8gv6-8r33-fm7j

5.9 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2024-24818

cvelist1 prion1 osv2 nvd1