Product: EspoCRM
Vendor: Letrium LTD/Open source software
Version: 4.5.0, possibly earlier
Category: Cross Site Scripting
Vendor notified: 2017-03-24
Patched: 2017-04-03
Disclosed: 2017-04-22
Researcher: Carl Pearson

Multiple persistent cross site scripting (XSS) vulnerabilities exist in EspoCRM v4.5.0, in the Knowledge Base article body text field, Accounts billing and shipping address fields, Contacts name and address fields, and Leads address fields. An authenticated EspoCRM user with appropriate permissions to each module could exploit these vulnerabilities to execute Javascript code in the context of other site users.


If successful, an attacker could obtain the victim’s session cookie and use it to gain access to their account. An attacker must be authenticated to the EspoCRM system and have authorization for each affected module in order to exploit the module’s XSS vulnerabilites.

Proof of Concept
See the attached report file for technical details.

EspoCRM v4.5.1 patches these issues. Updating any existing EspoCRM installs is recommended.

Product home:
Bug notice:
OWASP XSS overview:

This report may be edited to include a CVE number if one is assigned.

Categories: Advisory

Leave a Reply

Your email address will not be published. Required fields are marked *