Description

An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles received through mail. This Article can be formed by an attacker using the Knowledge Base feature in the tab list. The attacker could inject malicious JavaScript inside the body of the article, thus helping him steal victims' cookies (hence compromising their accounts).

Remediation

References

CVE-2019-14548

Related Vulnerabilities

WordPress Plugin Double Opt-In for Download Multiple Cross-Site Scripting Vulnerabilities (2.1.5)

Plone CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-7147)

MySQL CVE-2015-4895 Vulnerability (CVE-2015-4895)

WordPress Plugin WordPress.com Custom CSS Cross-Site Scripting (1.5)

TYPO3 Uncontrolled Recursion Vulnerability (CVE-2022-23500)

Severity

Medium

Classification

CVE-2019-14548 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities