CVE-2024-24818: EspoCRM weakness in "Forgot password"
First published: Thu Feb 29 2024(Updated: )
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| EspoCRM | <8.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-24818?
CVE-2024-24818 is considered a high severity vulnerability due to the potential for credential stealing attacks.
How do I fix CVE-2024-24818?
To fix CVE-2024-24818, upgrade EspoCRM to version 8.1.2 or above.
What does CVE-2024-24818 exploit?
CVE-2024-24818 exploits the 'Password Change' page by allowing attackers to inject arbitrary IPs or domains.
What are the risks associated with CVE-2024-24818?
The risks associated with CVE-2024-24818 include potential redirects to malicious sites leading to credential theft.
Which versions of EspoCRM are affected by CVE-2024-24818?
CVE-2024-24818 affects versions of EspoCRM prior to 8.1.2.
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/espocrm
- canonical/espocrm