Headline
CVE-2023-5965: Multiple vulnerabilities in EspoCRM
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.
Affected Resources
EspoCRM, versions equal or previous to 7.5.2.
Description
INCIBE has coordinated the publication of 2 vulnerabilities that affect EspoCRM, which have been discovered by Pedro José Navas Pérez from Hispasec.
These vulnerabilities has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:
- CVE-2023-5965 y CVE-2023-5966: CVSS v3.1: 9.1 | CVSS: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-434.
Solution
Users with administrator profile can load extensions and updates by design, as this is a functionality that most users use and request. It is possible to restrict exploitation of the vulnerability by enabling the “restrictedMode” option in the configuration menu.
Detail
- CVE-2023-5965 and CVE-2023-5966: an authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form and the extension deployment form respectively, which could lead to arbitrary PHP code execution.