CVE-2019-14331 - OpenCVE

An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Espocrm	Espocrm

Configuration 1 [-]

cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.cinquino.eu/EspoCRM.htm	Exploit Third Party Advisory
https://github.com/espocrm/espocrm/commit/4ab7d19776011288b875abd3eef1e1f6f75289e2	Patch Third Party Advisory
https://github.com/espocrm/espocrm/compare/5.6.5...5.6.6	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-28T13:46:22

Updated: 2019-07-28T13:46:22

Reserved: 2019-07-28T00:00:00

Link: CVE-2019-14331

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-28T14:15:10.980

Modified: 2019-07-30T13:51:16.143

Link: CVE-2019-14331

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-28T13:46:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.cinquino.eu/EspoCRM.htm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/commit/4ab7d19776011288b875abd3eef1e1f6f75289e2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/compare/5.6.5...5.6.6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14331", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.cinquino.eu/EspoCRM.htm", "refsource": "MISC", "url": "http://www.cinquino.eu/EspoCRM.htm"}, {"name": "https://github.com/espocrm/espocrm/commit/4ab7d19776011288b875abd3eef1e1f6f75289e2", "refsource": "MISC", "url": "https://github.com/espocrm/espocrm/commit/4ab7d19776011288b875abd3eef1e1f6f75289e2"}, {"name": "https://github.com/espocrm/espocrm/compare/5.6.5...5.6.6", "refsource": "MISC", "url": "https://github.com/espocrm/espocrm/compare/5.6.5...5.6.6"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14331", "datePublished": "2019-07-28T13:46:22", "dateReserved": "2019-07-28T00:00:00", "dateUpdated": "2019-07-28T13:46:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "B292914C-C64F-4063-9EF5-38577CB3D454", "versionEndExcluding": "5.6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User. A malicious attacker can modify the firstName and lastName to contain JavaScript code."}, {"lang": "es", "value": "Se detect\u00f3 un problema en EspoCRM anterior a la versi\u00f3n 5.6.6. Un XSS almacenado se presenta debido a la falta de filtrado de los datos suministrados por el usuario en Create User. Un atacante malicioso puede modificar el Nombre y el Apellido para que contengan c\u00f3digo JavaScript."}], "id": "CVE-2019-14331", "lastModified": "2019-07-30T13:51:16.143", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-28T14:15:10.980", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.cinquino.eu/EspoCRM.htm"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/espocrm/espocrm/commit/4ab7d19776011288b875abd3eef1e1f6f75289e2"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/espocrm/espocrm/compare/5.6.5...5.6.6"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}