BIT-espocrm-2023-46736

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/espocrm/BIT-espocrm-2023-46736.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-espocrm-2023-46736
Aliases
Published
2024-03-06T10:52:04.699Z
Modified
2024-05-23T01:28:37.799991Z
Summary
[none]
Details

EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to the /Attachment/fromImageUrl endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit c536cee63 which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Bitnami / espocrm

Package

Name
espocrm
Purl
pkg:bitnami/espocrm

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.2