377 matches found
Code injection
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution...
CVE-2023-5966
CVE-2023-5966 affects EspoCRM 7.2.5. An authenticated privileged attacker can upload a specially crafted ZIP via the extension deployment form, leading to arbitrary PHP code execution on the EspoCRM server. The issue is tied to the vulnerability in EspoCRM’s deployment mechanism and is confirmed ...
CVE-2023-5966 Unrestricted Upload of File with Dangerous Type in EspoCRM
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution...
CVE-2023-5966 Unrestricted Upload of File with Dangerous Type in EspoCRM
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution...
CVE-2023-5965
CVE-2023-5965 affects EspoCRM v7.2.5. An authenticated privileged attacker can upload a specially crafted ZIP via the update form, enabling arbitrary PHP code execution on the server. Exploitation is described across multiple sources as requiring high privileges with no user interaction, and the ...
CVE-2023-5965 Unrestricted Upload of File with Dangerous Type in EspoCRM
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution...
CVE-2023-5965 Unrestricted Upload of File with Dangerous Type in EspoCRM
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution...
EspoCRM Code Issues Vulnerabilities
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A code issue vulnerability exists in EspoCRM version 7.2.5 that stems from the presence of arbitrary PHP code execution...
PT-2023-32447 · Espocrm · Espocrm
Name of the Vulnerable Software and Affected Versions: EspoCRM version 7.2.5 Description: An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server via the update form, which could lead to arbitrary PHP code execution. Recommendations: For EspoCRM version...
EspoCRM Code Issues Vulnerabilities
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A code issue vulnerability exists in EspoCRM version 7.2.5 that stems from the presence of arbitrary PHP code execution...
PT-2023-32448 · Espocrm · Espocrm
Name of the Vulnerable Software and Affected Versions: EspoCRM version 7.2.5 Description: An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server via the extension deployment form, which could lead to arbitrary PHP code execution. Recommendations: For EspoC...
CVE-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
CVE-2022-38844
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...
CVE-2022-38846
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel HTTP. An attacker may capture the cookie from the insecure channel using MITM attack...
CVE-2022-38844
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...
CVE-2022-38843
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server...
CVE-2022-38843
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server...
CVE-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
CVE-2022-38846
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel HTTP. An attacker may capture the cookie from the insecure channel using MITM attack...
CVE-2022-38844
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...