Security features bypass in EspoCRM - CVE-2024-24818
Published: March 18, 2024
Vulnerability identifier: #VU87582
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-24818
CWE-ID: CWE-254
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
EspoCRM
EspoCRM
Software vendor:
EspoCRM
EspoCRM
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to weakness in "Forgot password". A remote attacker on the local network can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack.
Remediation
Install updates from vendor's website.