Description

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus helping him steal victims' cookies (hence compromising their accounts).

Remediation

References

CVE-2019-14550

Related Vulnerabilities

WordPress Plugin Fluid Responsive Slideshow Multiple Vulnerabilities (2.2.6)

Moodle Improper Privilege Management Vulnerability (CVE-2017-7532)

WordPress Plugin MP3-jPlayer Information Disclosure (2.3.2)

TYPO3 Improper Neutralization of HTTP Headers for Scripting Syntax Vulnerability (CVE-2021-41114)

WordPress Plugin Stripe Payment for WooCommerce Cross-Site Scripting (3.5.9)

Severity

Medium

Classification

CVE-2019-14550 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities