Filtered by vendor Espocrm
Subscriptions
Filtered by product Espocrm
Subscriptions
Total
26 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-38844 | 1 Espocrm | 1 Espocrm | 2024-08-03 | 8.0 High |
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | ||||
CVE-2022-38845 | 1 Espocrm | 1 Espocrm | 2024-08-03 | 6.1 Medium |
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser. | ||||
CVE-2022-38843 | 1 Espocrm | 1 Espocrm | 2024-08-03 | 8.8 High |
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server. | ||||
CVE-2023-46736 | 1 Espocrm | 1 Espocrm | 2024-08-02 | 5.3 Medium |
EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit `c536cee63` which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2023-5966 | 1 Espocrm | 1 Espocrm | 2024-08-02 | 9.1 Critical |
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution. | ||||
CVE-2023-5965 | 1 Espocrm | 1 Espocrm | 2024-08-02 | 9.1 Critical |
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution. |