EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-14550 - Vulnerability Database

EspoCRM

EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2019-14550

Medium

Reference: CVE-2019-14550

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14550

Title: EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature which would fire when a user clicks on the Edit Dashboard button thus helping him steal victims39 cookies (hence compromising their accounts).