Description

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicious JavaScript in the filename. This JavaScript executed when an admin selects the particular file from the list of all attachments. The attacker could inject the JavaScript inside the filename and send it to users, thus helping him steal victims' cookies (hence compromising their accounts).

Remediation

References

CVE-2019-14547

Related Vulnerabilities

WordPress Plugin Export any WordPress data to XML/CSV Cross-Site Scripting (1.3.5)

MySQL CVE-2013-3811 Vulnerability (CVE-2013-3811)

WordPress Plugin Age Verification 'redirect_to' Parameter URI Redirection (0.4)

WordPress Incorrect Default Permissions Vulnerability (CVE-2011-1762)

WordPress Plugin Cart66 Pro Arbitrary File Disclosure (1.5.3)

Severity

Medium

Classification

CVE-2019-14547 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities