Espocrm: >> Espocrm >> 7.1.8 Security Vulnerabilities
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server.
CVSS Score
8.8
EPSS Score
0.005
Published
2022-09-16
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.
CVSS Score
8.0
EPSS Score
0.007
Published
2022-09-16
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-09-16
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
CVSS Score
5.9
EPSS Score
0.001
Published
2022-09-16
Page 2