CVE-2019-14546

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-14546
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14546.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-14546
Published
2019-08-05T19:15:11Z
Modified
2025-01-08T10:22:28.879407Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).

References

Affected packages

Git / github.com/espocrm/espocrm

Affected ranges

Type
GIT
Repo
https://github.com/espocrm/espocrm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1

2.*

2.0.0
2.0.1
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2

3.*

3.0.0
3.0.1
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.3.0
3.4.0
3.4.1
3.4.2
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0
3.9.0
3.9.1
3.9.2

4.*

4.0.0
4.0.0-beta.1
4.0.0-beta.2
4.0.0-beta.3
4.0.0-beta.4
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.3.0
4.3.0-beta.1
4.3.0-beta.2
4.3.1
4.4.0
4.4.1
4.5.0
4.5.1
4.6.0
4.7.0
4.7.1
4.7.2
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8