Vendor: Letrium LTD/Open source software
Version: 4.5.0, possibly earlier
Category: Cross Site Scripting
Vendor notified: 2017-03-24
Researcher: Carl Pearson
If successful, an attacker could obtain the victim’s session cookie and use it to gain access to their account. An attacker must be authenticated to the EspoCRM system and have authorization for each affected module in order to exploit the module’s XSS vulnerabilites.
Proof of Concept
See the attached report file for technical details.
EspoCRM v4.5.1 patches these issues. Updating any existing EspoCRM installs is recommended.
Product home: https://www.espocrm.com/
Bug notice: https://github.com/espocrm/espocrm/issues/468
OWASP XSS overview: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
This report may be edited to include a CVE number if one is assigned.