Espocrm
CVE-2023-46736
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit c536cee63 which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit c536cee63 which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Espocrm. Version information: version 8.0.5..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local
Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any ext
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is rem
Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization a
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating
Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or d
Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript
EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authentica
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s brow
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated m
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today