CVE-2023-46736

Name: CVE-2023-46736
Creator: NVD / NIST
Published: 2023-12-05T21:15:07.243+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.36%

Last modified Jun 17, 2026

CVE-2023-46736 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. EPSS estimates a 0.36% chance of exploitation in the next 30 days.

Description

EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit `c536cee63` which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.36%

27.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Espocrm	Espocrm	<= 8.0.2

References

https://github.com/espocrm/espocrm/commit/c536cee6375e2088f961af13db7aaa652c983072Patch
https://github.com/espocrm/espocrm/security/advisories/GHSA-g955-rwxx-jvf6Vendor Advisory
https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/Third Party Advisory
https://github.com/espocrm/espocrm/commit/c536cee6375e2088f961af13db7aaa652c983072Patch
https://github.com/espocrm/espocrm/security/advisories/GHSA-g955-rwxx-jvf6Vendor Advisory
https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/Third Party Advisory

Timeline

Published: Dec 5, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-46736?

How severe is CVE-2023-46736?

CVE-2023-46736 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.36% probability of exploitation in the next 30 days.

How do I fix CVE-2023-46736?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-46736?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST