Vulnerability identifier: #VU19526
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-799
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
EspoCRM
Web applications /
CRM systems
Vendor: EspoCRM
Description
The vulnerability allows a remote attacker to perform brute-force attack.
Successful exploitation of the vulnerability may allow an attacker to reconstruct password hashes and gain unauthorized access to the web application.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
EspoCRM: 5.6.4
External links
http://github.com/espocrm/espocrm/issues/1357
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.