Stored XSS in Title and Breadcrumb of EspoCRM Entities
CVE-2019-14549 · LOW Severity
AV:N/AC:M/AU:S/C:N/I:P/A:N
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible link.
Learn more about our Crm Penetration Testing.