EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-14549 - Vulnerability Database

EspoCRM

EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-14549

Medium

Reference: CVE-2019-14549

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14549

Title: EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity thus stealing user cookies when someone visits the publicly accessible link.