377 matches found
CVE-2025-52892 EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes e.g https://domain//Admin and the webserver does not strip the double slash, it can cause ...
CVE-2025-52892 EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes e.g https://domain//Admin and the webserver does not strip the double slash, it can cause ...
CVE-2025-52892 EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes e.g https://domain//Admin and the webserver does not strip the double slash, it can cause ...
EspoCRM 环境问题漏洞
EspoCRM is an open source web-based customer relationship management CRM system from EspoCRM Open Source. The system provides features such as sales automation, community and customer support. An environmental issue vulnerability exists in EspoCRM 9.1.6 and prior versions, which stems from a doub...
PT-2025-31880 · Espocrm · Espocrm
Name of the Vulnerable Software and Affected Versions: EspoCRM versions 9.1.6 and below Description: EspoCRM is a web application featuring a single-page application frontend and a PHP-based REST API backend. If a user accesses EspoCRM in a browser with double slashes e.g., https://domain//Admin...
CVE-2025-52575
EspoCRM is an Open Source CRM Customer Relationship Management software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard...
CVE-2025-52575
EspoCRM is an Open Source CRM Customer Relationship Management software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard...
CVE-2025-52575
CVE-2025-52575 maps to EspoCRM 9.1.6 and earlier, which are vulnerable to blind LDAP injection when LDAP authentication is enabled. An unauthenticated remote attacker can manipulate LDAP queries by injecting crafted inputs (e.g., wildcard characters) to bypass authentication, enumerate usernames,...
CVE-2025-52575 EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements
EspoCRM is an Open Source CRM Customer Relationship Management software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard...
CVE-2025-52575 EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements
EspoCRM is an Open Source CRM Customer Relationship Management software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard...
CVE-2025-52575 EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements
EspoCRM is an Open Source CRM Customer Relationship Management software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard...
EspoCRM 注入漏洞
EspoCRM is an open source web-based customer relationship management CRM system from EspoCRM Open Source. The system provides features such as sales automation, community and customer support. An injection vulnerability exists in EspoCRM 9.1.6 and earlier versions, which stems from insufficient...
PT-2025-30320 · Espocrm · Espocrm
Name of the Vulnerable Software and Affected Versions: EspoCRM versions 9.1.6 and earlier Description: EspoCRM is an Open Source CRM Customer Relationship Management software. Versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote,...
CVE-2024-24818
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2...
CVE-2023-46736
EspoCRM is an Open Source CRM Customer Relationship Management software. In affected versions there is Server-Side Request Forgery SSRF vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Eve...
CVE-2022-38843
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server...
CVE-2022-38846
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel HTTP. An attacker may capture the cookie from the insecure channel using MITM attack...
CVE-2019-14550
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus...
CVE-2019-14547
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the...
CVE-2019-14546
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, whi...