CVE-2019-14546: XSS
First published: Mon Aug 05 2019(Updated: )
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email when a malicious payload was inserted inside the Email Signature in the Preference page. The attacker could insert malicious JavaScript inside his email signature, which fires when the victim replies or forwards the mail, thus helping him steal victims' cookies (hence compromising their accounts).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| EspoCRM | <5.6.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-14546?
CVE-2019-14546 is a vulnerability discovered in EspoCRM before version 5.6.9 that allows for stored cross-site scripting (XSS) attacks.
How does CVE-2019-14546 affect EspoCRM?
CVE-2019-14546 allows for the execution of stored XSS attacks on the Preference page and when sending emails with a malicious payload inserted in the Email Signature.
What is the severity of CVE-2019-14546?
The severity of CVE-2019-14546 is medium with a CVSS score of 5.4.
How can I fix CVE-2019-14546?
To fix CVE-2019-14546, it is recommended to update EspoCRM to version 5.6.9 or later.
Is there any additional information about CVE-2019-14546?
Yes, you can find more information about CVE-2019-14546 in the provided references: [Link 1], [Link 2], [Link 3].
- agent/softwarecombine
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/espocrm
- canonical/espocrm