CVE-2025-32390

Exploit

EPSS 0.11%
Veröffentlicht 12.05.2025 10:30:52
Zuletzt bearbeitet 17.06.2025 19:41:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and if they submit their credentials, they get captured in plain text. The vulnerability is allowed by overly permissive HTML editing being allowed on the KB articles. Any authenticated user with the privilege to read KB articles is impacted. In an enterprise with multiple applications, the malicious KB article could be edited to match the login pages of other applications, which would make it useful for credential harvesting against other applications as well. Version 9.0.8 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Espocrm ≫ Espocrm Version < 9.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.3

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.5	3.1	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
security-advisories@github.com	7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://github.com/espocrm/espocrm/security/advisories/GHSA-qrwp-v8v3-hqp2

Vendor Advisory

Exploit

https://github.com/espocrm/espocrm/commit/6b58d30eec8864de52844bfb8dac346ce5c729d7

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-32390

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32390

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32390

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-32390