EspoCRM 5.6.8 Stored XSS on Knowledge Base Article
Credit: Gaurav Narwani
The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-14548 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14548
CVE ID: CVE-2019-14548
Date of Disclosure: 3rd August 2019
Vendor, Product – EspoCRM, EscpoCRM
Affected Product: EspoCRM Version 5.6.8
Severity Rating: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (CVSS Base Score:8.5)
Description:
During the assessment, it was observed that the Body Feature in the Create article in Knowledge Base suffers from a Stored XSS attack. The attacker can load malicious javascript in the mail when forwarding the Article via mail. The XSS inside the body of the article fires when the attacker sends the mail to someone or when someone replies or forwards the article. The code view doesn’t have proper XSS validation in place which helps execute the malicious javascript and hence gain the cookies of the victim. With this cookie the attacker can log in to victims account and basically have complete takeover of his account and perform malicious actions on his behalf.
Proof of Concept:
Affected Component: Knowledge base article body, Email Reply and Forward article.
Stored XSS when sending article through email.