BIT-espocrm-2022-38844

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/espocrm/BIT-espocrm-2022-38844.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-espocrm-2022-38844
Aliases
Published
2024-03-06T10:52:34.504Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

References

Affected packages

Bitnami / espocrm

Package

Name
espocrm
Purl
pkg:bitnami/espocrm

Severity

  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
7.1.8
Last affected
7.1.8