377 matches found
BIT-ESPOCRM-2022-38844
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...
BIT-ESPOCRM-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
BIT-ESPOCRM-2022-38846
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel HTTP. An attacker may capture the cookie from the insecure channel using MITM attack...
BIT-ESPOCRM-2023-46736
EspoCRM is an Open Source CRM Customer Relationship Management software. In affected versions there is Server-Side Request Forgery SSRF vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Eve...
BIT-ESPOCRM-2023-5965
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution...
CVE-2024-24818 EspoCRM weakness in "Forgot password"
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2...
CVE-2024-24818 EspoCRM weakness in "Forgot password"
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2...
CVE-2024-24818 EspoCRM weakness in "Forgot password"
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2...
CVE-2024-24818
CVE-2024-24818 affects EspoCRM. The vulnerability stems from an input/control on the Password Change page that allows an attacker to inject arbitrary IPs or domains, enabling redirection of victims to a malicious page. This could facilitate credential theft or related attacks. Public documentatio...
PT-2024-20584 · Espocrm · Espocrm
Name of the Vulnerable Software and Affected Versions: EspoCRM versions prior to 8.1.2 Description: The issue allows an attacker to inject arbitrary IP or domain in the "Password Change" page, potentially redirecting the victim to a malicious page. This could lead to credential stealing or other...
CVE-2023-46736
EspoCRM is an Open Source CRM Customer Relationship Management software. In affected versions there is Server-Side Request Forgery SSRF vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Eve...
Server side request forgery (ssrf)
EspoCRM is an Open Source CRM Customer Relationship Management software. In affected versions there is Server-Side Request Forgery SSRF vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Eve...
CVE-2023-46736 Server-Side Request Forgery in espocrm
EspoCRM is an Open Source CRM Customer Relationship Management software. In affected versions there is Server-Side Request Forgery SSRF vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Eve...
CVE-2023-46736
CVE-2023-46736 affects EspoCRM, with a Server-Side Request Forgery (SSRF) vulnerability in the image URL upload flow via the path “/Attachment/fromImageUrl”. The flaw allows an attacker with access to that endpoint to specify an internal URL, bypass content-type checks via redirects, and potentia...
CVE-2023-46736 Server-Side Request Forgery in espocrm
EspoCRM is an Open Source CRM Customer Relationship Management software. In affected versions there is Server-Side Request Forgery SSRF vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Eve...
EspoCRM Code Issues Vulnerabilities
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A code issue vulnerability exists in EspoCRM 8.0.2 and prior versions that stems from the presence of a Server Request Forgery SS...
CVE-2023-5966
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution...
CVE-2023-5966
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution...
CVE-2023-5965
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution...
CVE-2023-5965
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution...