EspoCRM 5.6.8 Stored XSS on Creating Entities in Admin Panel
Credit: Gaurav Narwani
The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-14549 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14549
CVE ID: CVE-2019-14549
Date of Disclosure: 3rd August 2019
Vendor, Product – EspoCRM, EscpoCRM
Affected Product: EspoCRM Version 5.6.8
Severity Rating: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (CVSS Base Score:8.5)
Description:
During the assessment, it was observed that the Create Entity feature in http://localhost/EspoCRM-5.6.8/#Admin/entityManager accepts arbitrary Javascript inside the label which executes when the tab is clicked from the homepage. When a user adds an entity label with the malicious payload, the javascript fires when a user visits that tab where there is no filter on the breadcrumbs and header. The tab list doesn’t have proper XSS validation in place which helps execute the malicious javascript and hence gain the cookies of the victim. With this cookie the attacker can log in to victims account and basically have complete takeover of his account and perform malicious actions on his behalf.
Proof of Concept:
Affected Component: Side Tab title and Breadcrumbs
Stored XSS when opening tab with the malicious payload in title.