SB2019072901 - Multiple vulnerabilities in EspoCRM

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2019-14349)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the "api/v1/Document" functionality when storing documents in the account tab. A remote attacker can permanently inject and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Stored cross-site scripting (CVE-ID: CVE-2019-14350)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the Knowledge base functionality, when creating an article via the "api/v1/KnowledgeBaseArticle" URL. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Improper control of interaction frequency (CVE-ID: CVE-2019-14351)

The vulnerability allows a remote attacker to perform brute-force attack.

Remediation

Install update from vendor's website.

References

• https://github.com/espocrm/espocrm/issues/1358
• https://github.com/espocrm/espocrm/issues/1356
• https://github.com/espocrm/espocrm/issues/1357