SB2024031821 - Security features bypass in EspoCRM
Published: March 18, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Security features bypass (CVE-ID: CVE-2024-24818)
CWE-ID: CWE-254 - Security Features
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to weakness in "Forgot password". A remote attacker on the local network can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack.
Remediation
Install update from vendor's website.