CVE-2025-32789

Exploit

EPSS 0.18%
Veröffentlicht 16.04.2025 21:45:21
Zuletzt bearbeitet 18.06.2025 13:08:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Espocrm ≫ Espocrm Version < 9.0.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.392

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/espocrm/espocrm/security/advisories/GHSA-3ph3-jcfx-fq53

Vendor Advisory

Exploit

https://github.com/espocrm/espocrm/commit/91740192d2e2c575c6a04534c079baf9f3af0a7f

Patch

https://github.com/espocrm/espocrm/commit/bd900d0b48fe37a98def4c0e094e39e7e385e9ea

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-32789

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32789

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32789

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-32789