EspoCRM 5.6.8 Stored XSS on Attachment Name
Credit: Gaurav Narwani
The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-14547 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14547
CVE ID: CVE-2019-14547
Date of Disclosure: 3rd August 2019
Vendor, Product – EspoCRM, EscpoCRM
Affected Product: EspoCRM Version 5.6.8
Severity Rating: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (CVSS Base Score:8.5)
Description:
During the assessment, it was observed that the Attachment name in the Attchement details suffers from a Stored XSS attack. The attacker can load malicious javascript in the attachment name while sending the mail. The XSS payload inside the attachment name fires when the admin loads the list of attachments in the URL http://localhost/EspoCRM-5.6.8/#Attachment. Once the admin clicks the attachment with the malicious payload, the javascript fires. This link can be sent to any user of the application and is available for all and hence can form xss to all. The attachment name doesn’t have proper XSS validation in place which helps execute the malicious javascript and hence gain the cookies of the victim. With this cookie the attacker can log in to victims account and basically have complete takeover of his account and perform malicious actions on his behalf.
Proof of Concept:
Affected Component: Attachment Filename