Stored XSS in Title and Breadcrumb of EspoCRM Entities

Stored XSS in Title and Breadcrumb of EspoCRM Entities

CVE-2019-14549 · LOW Severity

AV:N/AC:M/AU:S/C:N/I:P/A:N

An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.

Learn more about our Crm Penetration Testing.