BIT-espocrm-2022-38844

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/espocrm/BIT-espocrm-2022-38844.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-espocrm-2022-38844

Aliases

CVE-2022-38844

Published

2024-03-06T10:52:34.504Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

Database specific

{
    "cpes": [
        "cpe:2.3:a:espocrm:espocrm:7.1.8:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76

Affected packages

Bitnami / espocrm

Package

Name: espocrm
Purl: pkg:bitnami/espocrm

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

7.1.8

Last affected

7.1.8