CVE-2019-14547
Last modified
CVE-2019-14547 is a vulnerability of currently unknown severity. An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. EPSS estimates a 1.08% chance of exploitation in the next 30 days.
Description
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Espocrm | Espocrm | < 5.6.9 |
References
- https://gauravnarwani.com/publications/cve-2019-14547/Exploit, Third Party Advisory
- https://github.com/espocrm/espocrm/commit/ffd3f762ce4a8de3b8962f33513e073c55d943b5Patch, Third Party Advisory
- https://github.com/espocrm/espocrm/issues/1369Third Party Advisory
- https://github.com/espocrm/espocrm/releases/tag/5.6.9Release Notes, Third Party Advisory
- https://gauravnarwani.com/publications/cve-2019-14547/Exploit, Third Party Advisory
- https://github.com/espocrm/espocrm/commit/ffd3f762ce4a8de3b8962f33513e073c55d943b5Patch, Third Party Advisory
- https://github.com/espocrm/espocrm/issues/1369Third Party Advisory
- https://github.com/espocrm/espocrm/releases/tag/5.6.9Release Notes, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-14547?
How severe is CVE-2019-14547?
How do I fix CVE-2019-14547?
Are you affected by CVE-2019-14547?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST