{"id":114,"date":"2017-04-22T20:48:23","date_gmt":"2017-04-22T20:48:23","guid":{"rendered":"https:\/\/cp270.wordpress.com\/?p=114"},"modified":"2021-01-03T16:45:03","modified_gmt":"2021-01-03T16:45:03","slug":"security-advisory-multiple-cross-site-scripting-vulnerabilities-in-espocrm","status":"publish","type":"post","link":"https:\/\/cpearson.icu\/?p=114","title":{"rendered":"Security Advisory \u2013 Multiple Cross Site Scripting Vulnerabilities in EspoCRM"},"content":{"rendered":"

Product:<\/strong> EspoCRM
\nVendor:<\/strong> Letrium LTD\/Open source software
\nVersion:<\/strong> 4.5.0, possibly earlier
\nCategory<\/strong>: Cross Site Scripting
\nVendor notified:<\/strong> 2017-03-24
\nPatched:<\/strong> 2017-04-03
\nDisclosed: <\/strong>2017-04-22
\nResearcher:<\/strong> Carl Pearson<\/p>\n

Summary<\/strong>
\nMultiple persistent cross site scripting (XSS) vulnerabilities exist in EspoCRM v4.5.0, in the Knowledge Base article body text field, Accounts billing and shipping address fields, Contacts name and address fields, and Leads address fields. An authenticated EspoCRM user with appropriate permissions to each module could exploit these vulnerabilities to execute Javascript code in the context of other site users.
\n
\nImpact<\/strong>
\nIf successful, an attacker could obtain the victim’s session cookie and use it to gain access to their account. An attacker must be authenticated to the EspoCRM system and have authorization for each affected module in order to exploit the module’s XSS vulnerabilites.<\/p>\n

Proof of Concept<\/strong>
\nSee the attached report file<\/a> for technical details.<\/p>\n

Solution<\/strong>
\nEspoCRM v4.5.1 patches these issues. Updating any existing EspoCRM installs is recommended.<\/p>\n

Reference<\/strong>
\nProduct home: https:\/\/www.espocrm.com\/
\nBug notice: https:\/\/github.com\/espocrm\/espocrm\/issues\/468
\nOWASP XSS overview: https:\/\/www.owasp.org\/index.php\/Cross-site_Scripting_(XSS)<\/p>\n

This report may be edited to include a CVE number if one is assigned.<\/p>\n","protected":false},"excerpt":{"rendered":"

Product: EspoCRM Vendor: Letrium LTD\/Open source software Version: 4.5.0, possibly earlier Category: Cross Site Scripting Vendor notified: 2017-03-24 Patched: 2017-04-03 Disclosed: 2017-04-22 Researcher: Carl Pearson Summary Multiple persistent cross site scripting (XSS) vulnerabilities exist in EspoCRM v4.5.0, in the Knowledge Base article body text field, Accounts billing and shipping address […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-114","post","type-post","status-publish","format-standard","hentry","category-advisory"],"_links":{"self":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=114"}],"version-history":[{"count":1,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":168,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/114\/revisions\/168"}],"wp:attachment":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}