Bitnami package
espocrm
pkg:bitnami/espocrm
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-24818 | — | < 8.1.2 | 8.1.2 | Feb 29, 2024 | EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2. | ||
| CVE-2023-46736 | — | < 8.0.2 | 8.0.2 | Dec 5, 2023 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point t | ||
| CVE-2023-5966 | Med | 4.7 | < 7.5.2 | 7.5.2 | Nov 30, 2023 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution. | |
| CVE-2023-5965 | Med | 4.7 | < 7.5.2 | 7.5.2 | Nov 30, 2023 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution. | |
| CVE-2022-38843 | — | >= 7.1.8, <= 7.1.8 | — | Sep 16, 2022 | EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server. | ||
| CVE-2022-38844 | — | >= 7.1.8, <= 7.1.8 | — | Sep 16, 2022 | CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his | ||
| CVE-2022-38845 | — | >= 7.1.8, <= 7.1.8 | — | Sep 16, 2022 | Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running | ||
| CVE-2022-38846 | — | >= 7.1.8, <= 7.1.8 | — | Sep 16, 2022 | EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | ||
| CVE-2021-3539 | — | < 6.1.6 | 6.1.6 | Aug 4, 2021 | EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product. |
- CVE-2024-24818Feb 29, 2024affected < 8.1.2fixed 8.1.2
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
- CVE-2023-46736Dec 5, 2023affected < 8.0.2fixed 8.0.2
EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point t
- affected < 7.5.2fixed 7.5.2
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.
- affected < 7.5.2fixed 7.5.2
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.
- CVE-2022-38843Sep 16, 2022affected >= 7.1.8, <= 7.1.8
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server.
- CVE-2022-38844Sep 16, 2022affected >= 7.1.8, <= 7.1.8
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his
- CVE-2022-38845Sep 16, 2022affected >= 7.1.8, <= 7.1.8
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running
- CVE-2022-38846Sep 16, 2022affected >= 7.1.8, <= 7.1.8
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
- CVE-2021-3539Aug 4, 2021affected < 6.1.6fixed 6.1.6
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.