EspoCRM 5.6.8 Stored XSS on Email Signature fired in Preference and Email
Credit: Gaurav Narwani
The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-14546 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14546
CVE ID: CVE-2019-14546
Date of Disclosure: 3rd August 2019
Vendor, Product – EspoCRM, EscpoCRM
Affected Product: EspoCRM Version 5.6.8
Severity Rating: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (CVSS Base Score:8.5)
Description:
During the assessment, it was observed that the Code View Feature in the Email Signature suffers from a Stored XSS attack. The attacker can load malicious javascript in the Email Signature on his mail which then fires inside the victims account when he wishes to reply or forward the mail. The attack is carried over the internet as the payload is sent in a mail. The code view doesn’t have proper XSS validation in place which helps execute the malicious javascript and hence gain the cookies of the victim. With this cookie the attacker can log in to victims account and basically have complete takeover of his account and perform malicious actions on his behalf.
Proof of Concept:
Affected Component: Preference page Email Signature, Email Reply and Forward
Stored XSS on preference page
Stored XSS when Email reply or forward