Lucene search

K

Espocrm Security Vulnerabilities

cve
cve

CVE-2024-24818

EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in...

5.9CVSS

5.6AI Score

0.0004EPSS

2024-03-21 02:52 AM
15
cve
cve

CVE-2023-46736

EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host......

6.5CVSS

6.4AI Score

0.001EPSS

2023-12-05 09:15 PM
22
cve
cve

CVE-2023-5966

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code...

9.1CVSS

7AI Score

0.001EPSS

2023-11-30 02:15 PM
9
cve
cve

CVE-2023-5965

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code...

9.1CVSS

7.1AI Score

0.001EPSS

2023-11-30 02:15 PM
24
cve
cve

CVE-2018-17302

Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft...

5.4CVSS

5.1AI Score

0.001EPSS

2018-09-21 07:29 AM
28
cve
cve

CVE-2022-38845

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...

6.1CVSS

5.9AI Score

0.002EPSS

2022-09-16 02:15 PM
22
cve
cve

CVE-2014-8330

Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new...

5.4AI Score

0.001EPSS

2022-10-03 04:20 PM
20
cve
cve

CVE-2022-38844

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his...

8CVSS

7.7AI Score

0.002EPSS

2022-09-16 02:15 PM
22
cve
cve

CVE-2022-38843

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the...

8.8CVSS

8.8AI Score

0.001EPSS

2022-09-16 02:15 PM
23
4
cve
cve

CVE-2022-38846

EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM...

5.9CVSS

5.6AI Score

0.001EPSS

2022-09-16 02:15 PM
25
2
cve
cve

CVE-2021-3539

EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the...

6.3CVSS

5.4AI Score

0.001EPSS

2021-08-04 11:15 PM
201
cve
cve

CVE-2019-14550

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus...

5.4CVSS

5.1AI Score

0.001EPSS

2019-08-05 07:15 PM
35
cve
cve

CVE-2019-14549

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible.....

5.4CVSS

5.1AI Score

0.001EPSS

2019-08-05 07:15 PM
35
cve
cve

CVE-2019-14547

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the...

5.4CVSS

5.1AI Score

0.001EPSS

2019-08-05 07:15 PM
34
cve
cve

CVE-2019-14548

An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside...

5.4CVSS

5.1AI Score

0.001EPSS

2019-08-05 07:15 PM
34
cve
cve

CVE-2019-14546

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature,...

5.4CVSS

5.1AI Score

0.001EPSS

2019-08-05 07:15 PM
39
cve
cve

CVE-2019-14349

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be executed when a user...

6.1CVSS

5.9AI Score

0.001EPSS

2019-07-28 04:15 PM
79
cve
cve

CVE-2019-14350

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record...

6.1CVSS

5.9AI Score

0.001EPSS

2019-07-28 04:15 PM
79
cve
cve

CVE-2019-14351

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList...

8.8CVSS

8.5AI Score

0.001EPSS

2019-07-28 04:15 PM
80
cve
cve

CVE-2019-14329

An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript...

6.1CVSS

5.8AI Score

0.001EPSS

2019-07-28 02:15 PM
80
cve
cve

CVE-2019-14330

An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript...

6.1CVSS

5.8AI Score

0.001EPSS

2019-07-28 02:15 PM
81
cve
cve

CVE-2019-14331

An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript...

6.1CVSS

5.8AI Score

0.001EPSS

2019-07-28 02:15 PM
79
cve
cve

CVE-2019-13643

Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on...

6.1CVSS

6AI Score

0.001EPSS

2019-07-18 03:15 AM
22
cve
cve

CVE-2018-17301

Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search...

5.4CVSS

5.2AI Score

0.001EPSS

2018-09-21 07:29 AM
18
cve
cve

CVE-2014-7986

install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess...

6.5AI Score

0.013EPSS

2014-10-31 02:55 PM
25
cve
cve

CVE-2014-7985

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter to...

7.1AI Score

0.009EPSS

2014-10-31 02:55 PM
27
cve
cve

CVE-2014-7987

Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to...

5.7AI Score

0.003EPSS

2014-10-31 02:55 PM
25