Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-14546 - Vulnerability Database
EspoCRM

EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-14546

Medium
Reference: CVE-2019-14546
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14546
Title: EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature which fires when the victim replies or forwards the mail thus helping him steal victims39 cookies (hence compromising their accounts).