Vendor CVEs
Espocrm
All CVEs
43 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33656 | Cri | 0.52 | 9.1 | 0.01 | Apr 22, 2026 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities.… | ||
| CVE-2026-33733 | Hig | 0.40 | 7.2 | 0.00 | Apr 22, 2026 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal… | ||
| CVE-2026-33741 | Med | 0.37 | 6.8 | 0.00 | May 19, 2026 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment… | ||
| CVE-2026-41141 | Med | 0.35 | 6.5 | 0.00 | May 28, 2026 | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An… | ||
| CVE-2018-17302 | Med | 0.35 | 5.4 | 0.01 | Sep 21, 2018 | Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message. | ||
| CVE-2018-17301 | Med | 0.35 | 5.4 | 0.01 | Sep 21, 2018 | Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel. | ||
| CVE-2023-5966 | Med | 0.31 | 4.7 | 0.01 | Nov 30, 2023 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution. | ||
| CVE-2023-5965 | Med | 0.31 | 4.7 | 0.01 | Nov 30, 2023 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution. | ||
| CVE-2026-33740 | Med | 0.28 | 5.4 | 0.00 | Apr 13, 2026 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any… | ||
| CVE-2026-33534 | Med | 0.24 | 4.3 | 0.02 | Apr 13, 2026 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as… | ||
| CVE-2026-33657 | Med | 0.23 | 4.6 | 0.00 | Apr 13, 2026 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email… | ||
| CVE-2026-41160 | Med | 0.21 | 4.3 | 0.00 | May 28, 2026 | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a… | ||
| CVE-2026-33659 | Low | 0.16 | 3.5 | 0.00 | Apr 13, 2026 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses… | ||
| CVE-2020-37094 | 0.00 | — | 0.01 | Feb 3, 2026 | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user… | |||
| CVE-2025-59428 | 0.00 | — | 0.00 | Oct 14, 2025 | EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with… | |||
| CVE-2025-52892 | 0.00 | — | 0.00 | Aug 5, 2025 | EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double… | |||
| CVE-2025-52575 | 0.00 | — | 0.01 | Jul 21, 2025 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input… | |||
| CVE-2025-32390 | 0.00 | — | 0.00 | May 12, 2025 | EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse… | |||
| CVE-2025-32789 | 0.00 | — | 0.00 | Apr 16, 2025 | EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based… | |||
| CVE-2025-32385 | 0.00 | — | 0.00 | Apr 15, 2025 | EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially… | |||
| CVE-2024-24818 | 0.00 | — | 0.01 | Feb 29, 2024 | EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2. | |||
| CVE-2023-46736 | 0.00 | — | 0.00 | Dec 5, 2023 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point… | |||
| CVE-2022-38843 | 0.00 | — | 0.01 | Sep 16, 2022 | EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server. | |||
| CVE-2022-38844 | 0.00 | — | 0.01 | Sep 16, 2022 | CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on… | |||
| CVE-2022-38845 | 0.00 | — | 0.01 | Sep 16, 2022 | Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up… | |||
| CVE-2022-38846 | 0.00 | — | 0.00 | Sep 16, 2022 | EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | |||
| CVE-2021-3539 | 0.00 | — | 0.01 | Aug 4, 2021 | EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product. | |||
| CVE-2019-14547 | 0.00 | — | 0.01 | Aug 5, 2019 | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker… | |||
| CVE-2019-14548 | 0.00 | — | 0.01 | Aug 5, 2019 | An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious… | |||
| CVE-2019-14546 | 0.00 | — | 0.01 | Aug 5, 2019 | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his… | |||
| CVE-2019-14550 | 0.00 | — | 0.01 | Aug 5, 2019 | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit… | |||
| CVE-2019-14549 | 0.00 | — | 0.01 | Aug 5, 2019 | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the… | |||
| CVE-2019-14351 | 0.00 | — | 0.01 | Jul 28, 2019 | EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList filters. | |||
| CVE-2019-14350 | 0.00 | — | 0.01 | Jul 28, 2019 | EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation. | |||
| CVE-2019-14349 | 0.00 | — | 0.01 | Jul 28, 2019 | EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be… | |||
| CVE-2019-14331 | 0.00 | — | 0.01 | Jul 28, 2019 | An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code. | |||
| CVE-2019-14330 | 0.00 | — | 0.01 | Jul 28, 2019 | An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code. | |||
| CVE-2019-14329 | 0.00 | — | 0.01 | Jul 28, 2019 | An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code. | |||
| CVE-2019-13643 | 0.00 | — | 0.01 | Jul 18, 2019 | Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a… | |||
| CVE-2014-7987 | 0.00 | — | 0.02 | Oct 31, 2014 | Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php. | |||
| CVE-2014-7986 | 0.00 | — | 0.03 | Oct 31, 2014 | install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter. | |||
| CVE-2014-7985 | 0.00 | — | 0.05 | Oct 31, 2014 | Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter to install/index.php. | |||
| CVE-2014-8330 | 0.00 | — | 0.01 | Oct 20, 2014 | Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account. |
- risk 0.52cvss 9.1epss 0.01
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities.…
- risk 0.40cvss 7.2epss 0.00
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal…
- risk 0.37cvss 6.8epss 0.00
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment…
- risk 0.35cvss 6.5epss 0.00
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An…
- risk 0.35cvss 5.4epss 0.01
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
- risk 0.35cvss 5.4epss 0.01
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
- risk 0.31cvss 4.7epss 0.01
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.
- risk 0.31cvss 4.7epss 0.01
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.
- risk 0.28cvss 5.4epss 0.00
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any…
- risk 0.24cvss 4.3epss 0.02
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as…
- risk 0.23cvss 4.6epss 0.00
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email…
- risk 0.21cvss 4.3epss 0.00
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a…
- risk 0.16cvss 3.5epss 0.00
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses…
- CVE-2020-37094Feb 3, 2026risk 0.00cvss —epss 0.01
EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user…
- CVE-2025-59428Oct 14, 2025risk 0.00cvss —epss 0.00
EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with…
- CVE-2025-52892Aug 5, 2025risk 0.00cvss —epss 0.00
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double…
- CVE-2025-52575Jul 21, 2025risk 0.00cvss —epss 0.01
EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input…
- CVE-2025-32390May 12, 2025risk 0.00cvss —epss 0.00
EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse…
- CVE-2025-32789Apr 16, 2025risk 0.00cvss —epss 0.00
EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based…
- CVE-2025-32385Apr 15, 2025risk 0.00cvss —epss 0.00
EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially…
- CVE-2024-24818Feb 29, 2024risk 0.00cvss —epss 0.01
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
- CVE-2023-46736Dec 5, 2023risk 0.00cvss —epss 0.00
EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point…
- CVE-2022-38843Sep 16, 2022risk 0.00cvss —epss 0.01
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server.
- CVE-2022-38844Sep 16, 2022risk 0.00cvss —epss 0.01
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on…
- CVE-2022-38845Sep 16, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up…
- CVE-2022-38846Sep 16, 2022risk 0.00cvss —epss 0.00
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
- CVE-2021-3539Aug 4, 2021risk 0.00cvss —epss 0.01
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.
- CVE-2019-14547Aug 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker…
- CVE-2019-14548Aug 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious…
- CVE-2019-14546Aug 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his…
- CVE-2019-14550Aug 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit…
- CVE-2019-14549Aug 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the…
- CVE-2019-14351Jul 28, 2019risk 0.00cvss —epss 0.01
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList filters.
- CVE-2019-14350Jul 28, 2019risk 0.00cvss —epss 0.01
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation.
- CVE-2019-14349Jul 28, 2019risk 0.00cvss —epss 0.01
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. An attacker can upload a crafted file that contains JavaScript code in its name. This code will be…
- CVE-2019-14331Jul 28, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
- CVE-2019-14330Jul 28, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case. A malicious attacker can modify the firstName and lastName to contain JavaScript code.
- CVE-2019-14329Jul 28, 2019risk 0.00cvss —epss 0.01
An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code.
- CVE-2019-13643Jul 18, 2019risk 0.00cvss —epss 0.01
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a…
- CVE-2014-7987Oct 31, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php.
- CVE-2014-7986Oct 31, 2014risk 0.00cvss —epss 0.03
install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter.
- CVE-2014-7985Oct 31, 2014risk 0.00cvss —epss 0.05
Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter to install/index.php.
- CVE-2014-8330Oct 20, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account.