EspoCRM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-14350)

Description

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attacker can inject JavaScript code in the body parameter during api/v1/KnowledgeBaseArticle knowledge-base record creation.

Remediation

References

CVE-2019-14350

Related Vulnerabilities

WordPress Plugin WP Server Log Viewer Cross-Site Scripting (1.0)

Apache Tomcat Deserialization of Untrusted Data Vulnerability (CVE-2021-25329)

WordPress Plugin Zingiri Web Shop 'abspath' Parameter Remote File Include (2.4.6)

Apache HTTP Server Out-of-bounds Read Vulnerability (CVE-2017-7668)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1570)

Severity

Medium

Classification

CVE-2019-14350 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N