CVE-2019-14548: XSS
First published: Mon Aug 05 2019(Updated: )
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| EspoCRM | <5.6.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-14548?
CVE-2019-14548 is a vulnerability discovered in EspoCRM before version 5.6.9 that allows for stored cross-site scripting (XSS) attacks.
How does CVE-2019-14548 work?
CVE-2019-14548 allows an attacker to execute malicious JavaScript code when a victim opens articles received through mail in EspoCRM.
What is the severity of CVE-2019-14548?
The severity of CVE-2019-14548 is rated as medium with a CVSS score of 5.4.
How can CVE-2019-14548 be exploited?
CVE-2019-14548 can be exploited by an attacker using the Knowledge Base feature in EspoCRM to inject malicious JavaScript code into the body of an Article.
Is there a fix for CVE-2019-14548?
Yes, the vulnerability has been fixed in EspoCRM version 5.6.9 and later.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/espocrm
- canonical/espocrm