Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38843: EspoCRM 7.1.8 is vulnerable to Unrestricted File Upload

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server.

CVE
Open in Source
#web#php

Affected Product and Version: EspoCRM 7.1.8

Description: EspoCRM is an open-source CRM (customer relationship management) software written in PHP. This web application enables users to see and manage company relationships. EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload a malicious file with any extension to the server. The attacker may execute these malicious files to run unintended code on the server to compromise the server.

Impact: The attacker may run malicious code on the server and compromise the confidentiality, integrity, and availability of the server and application.

Steps to reproduce:

1. Log in to the application

2. Go to the profile page and upload the file with the HTML extension

3. Access the uploaded file and observe that it gets uploaded successfully

Remediation:

Upgrade to the latest stable version of EspoCRM 7.1.9

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE