Directory traversal

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the action parameter to install/index.php...

Cross site scripting

Cross-site scripting XSS vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php...

Code injection

install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter...

CVE-2014-7985

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the action parameter to install/index.php...

CVE-2014-7986

install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter...

CVE-2014-7987

Cross-site scripting XSS vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php...

CVE-2014-7987

CVE-2014-7987 affects EspoCRM prior to 2.6.0 and is a reflected cross-site scripting vulnerability. The issue arises from unsanitized input in the GET parameter desc passed to /install/index.php (via the errors path), allowing remote attackers to inject arbitrary HTML/JS. Connected advisories con...

CVE-2014-7986

EspoCRM prior to 2.6.0 is affected by multiple issues via /install/index.php: CVE-2014-7986 allows remote reinstallation by setting installProcess=1 due to improper access control; CVE-2014-7985 enables PHP file inclusion via action parameter leading to potential code execution; CVE-2014-7987 ena...

CVE-2014-7985

This CVE concerns EspoCRM prior to 2.6.0, where a directory traversal flaw in /install/index.php via the action parameter allows remote, unauthenticated local file inclusion and code execution. The High-Tech Bridge advisory and OpenVAS/PacketStorm materials corroborate: exploitation can enable fu...

EspoCRM 2.5.2 XSS / LFI / Access Control Vulnerabilities

EspoCRM version 2.5.2 suffers from cross site scripting, local file inclusion, and improper access control vulnerabilities. Product: EspoCRM Vendor: http://www.espocrm.com Vulnerable Versions: 2.5.2 and probably prior Tested Version: 2.5.2 Advisory Publication: October 8, 2014 without technical...

EspoCRM '/install/index.php' Multiple Vulnerabilities

EspoCRM is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EspoCRM 2.5.2 XSS / LFI / Access Control

Advisory ID: HTB23238 Product: EspoCRM Vendor: http://www.espocrm.com Vulnerable Versions: 2.5.2 and probably prior Tested Version: 2.5.2 Advisory Publication: October 8, 2014 without technical details Vendor Notification: October 8, 2014 Vendor Patch: October 10, 2014 Public Disclosure: October...

CVE-2014-8330

Cross-site scripting XSS vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account...

Cross site scripting

Cross-site scripting XSS vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account...

CVE-2014-8330

Cross-site scripting XSS vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account...

CVE-2014-8330

CVE-2014-8330 is a cross-site scripting (XSS) flaw in EspoCRM. The vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the Name field when creating a new account. The provided documents do not specify exploit details or remediation patches.

Multiple vulnerabilities in EspoCRM

High-Tech Bridge Security Research Lab discovered multiple high-risk vulnerabilities in EspoCRM, which can be exploited by remote attacker to execute arbitrary PHP code on a vulnerable system, reinstall the application from scratch, and compromise the entire system as the result. EspoCRM is also...