CVE-2025-32385

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-32385

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32385.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-32385

Aliases

GHSA-2rf2-mj98-2fr8

Published

2025-04-15T23:23:58.292Z

Modified

2026-04-10T05:25:09.961545Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

EspoCRM allows unrestricted Embedding in Iframe dashlet

Details

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.

Database specific

{
    "cwe_ids": [
        "CWE-1021"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32385.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/espocrm/espocrm

Affected ranges

Type: GIT
Repo: https://github.com/espocrm/espocrm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

368c2fb866648e97150cabe3ff81ec8199cdd436

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

2.*

2.0.1

2.3.0

2.4.0

2.5.0

2.5.1

2.5.2

2.6.0

2.8.0

2.8.1

2.9.0

3.*

3.0.0

3.1.0

3.2.0

3.3.0

3.4.0

3.4.1

3.4.2

3.5.0

3.6.0

3.6.1

3.7.0

3.7.1

3.8.0

3.9.0

3.9.1

4.*

4.0.0

4.0.0-beta.1

4.0.0-beta.2

4.0.0-beta.3

4.0.0-beta.4

4.0.1

4.0.2

4.0.3

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.3.0

4.3.0-beta.1

4.3.0-beta.2

4.4.0

4.5.0

4.6.0

4.7.0

4.8.0

5.*

5.0.0

5.0.1

5.1.0

5.1.1

5.1.2

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.5.1

5.6.0

5.6.1

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

5.7.5

5.8.0

5.8.1

5.8.2

5.9.0

5.9.1

5.9.2

6.*

6.0.0

6.0.0-beta1

6.0.0-beta2

6.0.0-beta4

6.0.1

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

7.1.0

7.1.1

7.1.2

7.1.3

7.2.0

7.3.0

7.4.0

7.4.1

7.4.2

7.4.3

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.2.0

8.4.0

9.*

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32385.json"