What is the severity of CVE-2025-32385?

CVE-2025-32385 has a medium severity rating as it allows arbitrary URLs to be displayed in iframes without appropriate sandboxing.

How do I fix CVE-2025-32385?

To fix CVE-2025-32385, upgrade your EspoCRM software to version 9.0.5 or later.

What is CVE-2025-32385?

CVE-2025-32385 is a vulnerability in EspoCRM that allows iframes to display arbitrary URLs without the sandbox attribute, potentially leading to security risks.

Which versions of EspoCRM are affected by CVE-2025-32385?

EspoCRM versions prior to 9.0.5 are affected by CVE-2025-32385.

What types of attacks can CVE-2025-32385 facilitate?

CVE-2025-32385 can facilitate attacks such as phishing and unwanted popups due to the lack of sandboxing in iframes.

Vulnerability/
CVE-2025-32385

medium

5.3

CWE

1021

15/4/2025

16/4/2025

CVE-2025-32385: EspoCRM allows unrestricted Embedding in Iframe dashlet

First published: Tue Apr 15 2025(Updated: )

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
EspoCRM	<9.0.5

Never miss a vulnerability like this again

Reference Links

https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8

Frequently Asked Questions

What is the severity of CVE-2025-32385?
CVE-2025-32385 has a medium severity rating as it allows arbitrary URLs to be displayed in iframes without appropriate sandboxing.
How do I fix CVE-2025-32385?
To fix CVE-2025-32385, upgrade your EspoCRM software to version 9.0.5 or later.
What is CVE-2025-32385?
CVE-2025-32385 is a vulnerability in EspoCRM that allows iframes to display arbitrary URLs without the sandbox attribute, potentially leading to security risks.
Which versions of EspoCRM are affected by CVE-2025-32385?
EspoCRM versions prior to 9.0.5 are affected by CVE-2025-32385.
What types of attacks can CVE-2025-32385 facilitate?
CVE-2025-32385 can facilitate attacks such as phishing and unwanted popups due to the lack of sandboxing in iframes.

collector/mitre-cve
source/MITRE
agent/references
agent/weakness
agent/title
agent/description
agent/first-publish-date
agent/type
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/nvd-api
source/NVD
agent/severity
agent/source
agent/last-modified-date
agent/author
agent/tags
agent/event
vendor/espocrm
canonical/espocrm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.