Description

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.

Remediation

References

CVE-2023-5966

Related Vulnerabilities

Oracle Database Server Other Vulnerability (CVE-1999-0888)

WordPress CVE-2020-25286 Vulnerability (CVE-2020-25286)

PHP Insufficient Verification of Data Authenticity Vulnerability (CVE-2024-5458)

MySQL CVE-2013-1506 Vulnerability (CVE-2013-1506)

PHP CVE-2014-3479 Vulnerability (CVE-2014-3479)

Severity

High

Classification

CVE-2023-5966 CWE-434 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities