Description

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature present on the Homepage. An attacker can load malicious JavaScript inside the add tab list feature, which would fire when a user clicks on the Edit Dashboard button, thus helping him steal victims' cookies (hence compromising their accounts).

Remediation

References

CVE-2019-14550

Related Vulnerabilities

Oracle JRE CVE-2014-0460 Vulnerability (CVE-2014-0460)

WordPress Plugin Affiliate Ads for Clickbank Products Cross-Site Scripting (1.6)

WordPress Plugin MediaRSS external gallery TimThumb Arbitrary File Upload (0.1)

Next.js URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2020-15242)

WordPress Plugin YAS Slideshow Arbitrary File Upload (3.4)

Severity

Medium

Classification

CVE-2019-14550 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities