Product: EspoCRM
Vendor: Letrium LTD/Open source software
Version: 4.5.0, possibly earlier
Category: Cross Site Scripting
Vendor notified: 2017-03-24
Patched: 2017-04-03
Disclosed: 2017-04-22
Researcher: Carl Pearson
Summary
Multiple persistent cross site scripting (XSS) vulnerabilities exist in EspoCRM v4.5.0, in the Knowledge Base article body text field, Accounts billing and shipping address fields, Contacts name and address fields, and Leads address fields. An authenticated EspoCRM user with appropriate permissions to each module could exploit these vulnerabilities to execute Javascript code in the context of other site users.
Impact
If successful, an attacker could obtain the victim’s session cookie and use it to gain access to their account. An attacker must be authenticated to the EspoCRM system and have authorization for each affected module in order to exploit the module’s XSS vulnerabilites.
Proof of Concept
See the attached report file for technical details.
Solution
EspoCRM v4.5.1 patches these issues. Updating any existing EspoCRM installs is recommended.
Reference
Product home: https://www.espocrm.com/
Bug notice: https://github.com/espocrm/espocrm/issues/468
OWASP XSS overview: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
This report may be edited to include a CVE number if one is assigned.