CVE-2024-24818
MEDIUM severity · CVSS 5.9 · CWE-610
5.9CVSS MEDIUM
Summary
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
Impact & exploitability
Attack vectorAdjacent
Attack complexityHigh
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactLow
Availability impactLow
Exploit probability (EPSS)1%
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://github.com/espocrm/espocrm/commit/3babdfa3399e328fb1bd83a1b4ed03d509f4c8e7 ↗