CVE-2020-37094
Last modified
CVE-2020-37094 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.. EPSS estimates a 0.55% chance of exploitation in the next 30 days.
Description
EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Espocrm | Espocrm | <= 5.8.5 |
References
- https://www.espocrm.comProduct
- https://www.exploit-db.com/exploits/48376Exploit, VDB Entry
- https://www.vulncheck.com/advisories/espocrm-privilege-escalationThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2020-37094?
How severe is CVE-2020-37094?
How do I fix CVE-2020-37094?
Are you affected by CVE-2020-37094?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST