Security Advisory – Multiple Cross Site Scripting Vulnerabilities in EspoCRM

Product: EspoCRM
Vendor: Letrium LTD/Open source software
Version: 4.5.0, possibly earlier
Category: Cross Site Scripting
Vendor notified: 2017-03-24
Patched: 2017-04-03
Disclosed: 2017-04-22
Researcher: Carl Pearson

Summary
Multiple persistent cross site scripting (XSS) vulnerabilities exist in EspoCRM v4.5.0, in the Knowledge Base article body text field, Accounts billing and shipping address fields, Contacts name and address fields, and Leads address fields. An authenticated EspoCRM user with appropriate permissions to each module could exploit these vulnerabilities to execute Javascript code in the context of other site users.

Impact

If successful, an attacker could obtain the victim’s session cookie and use it to gain access to their account. An attacker must be authenticated to the EspoCRM system and have authorization for each affected module in order to exploit the module’s XSS vulnerabilites.

Proof of Concept
See the attached report file for technical details.

Solution
EspoCRM v4.5.1 patches these issues. Updating any existing EspoCRM installs is recommended.

Reference
Product home: https://www.espocrm.com/
Bug notice: https://github.com/espocrm/espocrm/issues/468
OWASP XSS overview: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

This report may be edited to include a CVE number if one is assigned.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s