377 matches found
CVE-2019-14550
EspoCRM before 5.6.9 is affected by a Stored XSS vulnerability. An attacker can inject malicious JavaScript via the add tab list feature, which executes when a victim clicks Edit Dashboard on the Homepage, enabling cookie theft and account compromise. A fix is available in version 5.6.9 (see link...
CVE-2019-14549
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible...
CVE-2019-14549
EspoCRM prior to v5.6.9 is affected by a stored XSS vulnerability in the title and breadcrumb of newly created entities, potentially stealing cookies when a public link is visited. The underlying issue allows injection of JavaScript by a malicious user into those fields. A fix is available in the...
EspoCRM Trust Management Issue Vulnerabilities
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. EspoCRM is vulnerable to a trust management issue. An attacker can exploit this vulnerability to brute-force break a user's...
EspoCRM Cross-Site Scripting Vulnerability (CNVD-2019-24797)
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A cross-site scripting vulnerability exists in EspoCRM versions prior to 5.6.6. The vulnerability stems from the WEB application...
EspoCRM Cross-Site Scripting Vulnerability (CNVD-2019-24800)
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A cross-site scripting vulnerability exists in EspoCRM version 5.6.4. The vulnerability stems from the WEB application lacking...
EspoCRM Cross-Site Scripting Vulnerability (CNVD-2019-24801)
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A cross-site scripting vulnerability exists in EspoCRM version 5.6.4. The vulnerability stems from the WEB application lacking...
EspoCRM cross-site scripting vulnerability (CNVD-2019-24798)
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A cross-site scripting vulnerability exists in EspoCRM versions prior to 5.6.6. The vulnerability stems from the WEB application...
EspoCRM cross-site scripting vulnerability (CNVD-2019-24799)
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A cross-site scripting vulnerability exists in EspoCRM versions prior to 5.6.6. The vulnerability stems from the WEB application...
CVE-2019-14349
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user...
CVE-2019-14351
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList filters...
CVE-2019-14350
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation...
CVE-2019-14349
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user...
CVE-2019-14350
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation...
CVE-2019-14351
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList filters...
Design/Logic Flaw
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation...
Cross site scripting
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user...
CVE-2019-14351
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList filters...
CVE-2019-14351
EspoCRM 5.6.4 is vulnerable to user password hash enumeration . An authenticated attacker can brute-force a user password hash one symbol at a time using specially crafted api/v1/User?filterList filters. The connected documents confirm the affected product/version and the attack method; no exploi...
CVE-2019-14350
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation...