Description

Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the Notifications page.

Remediation

References

CVE-2019-13643

Related Vulnerabilities

WordPress Plugin Ultimate Addons for Visual Composer Multiple Vulnerabilities (3.16.10)

Dolibarr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-14242)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2010-1150)

WordPress Plugin IP Blacklist Cloud Arbitrary File Disclosure (3.42)

WordPress Plugin WP-RESTful Multiple Cross-Site Scripting Vulnerabilities (0.1)

Severity

Medium

Classification

CVE-2019-13643 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities