Unrated severityNVD Advisory· Published Apr 16, 2025· Updated Apr 17, 2025
EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function
CVE-2025-32789
Description
EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/espocrm/espocrm/commit/91740192d2e2c575c6a04534c079baf9f3af0a7fmitrex_refsource_MISC
- github.com/espocrm/espocrm/commit/bd900d0b48fe37a98def4c0e094e39e7e385e9eamitrex_refsource_MISC
- github.com/espocrm/espocrm/security/advisories/GHSA-3ph3-jcfx-fq53mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.