Description

An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).

Remediation

References

CVE-2019-14548

Related Vulnerabilities

WordPress Plugin Slider Revolution Responsive Arbitrary File Upload (3.0.95)

ATutor Improper Privilege Management Vulnerability (CVE-2017-1000003)

WordPress Plugin MailPoet Newsletters (Previous) Multiple Unspecified Vulnerabilities (2.7.1)

WordPress Plugin Mass Pages/Posts Creator Cross-Site Scripting (1.2.2)

Serendipity Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2015-6943)

Severity

Medium

Classification

CVE-2019-14548 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities