Cyber threats 2014: Multiple vulnerabilities in EspoCRM

Posted: October 30, 2014 in Vulnerabilities
Tags: ,

espocrm logoThree new vulnerabilities in the Open Source CRM EspoCRM: PHP File Inclusion, Improper Access Control and Reflected Cross-Site Scripting.

Danger level: High
Availability Corrections: Yes
Number of vulnerabilities: 3

CVSSv2 Rating:
(AV: N / AC: H / Au: N / C: C / I: C / A: C / E: U / RL: OF / RC: C) = Base: 7.6 / Temporal: 5.6
(AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: OF / RC: C) = Base: 5 / Temporal: 3.7
(AV: N / AC: M / Au: N / C: N / I: P / A: N / E: U / RL: OF / RC: C) = Base: 4.3 / Temporal: 3.2

CVE ID:
CVE-2014-7985
CVE-2014-7986
CVE-2014-7987

Vector of operation: Remote
Impact: Cross-site scripting (XSS-attacks), Unauthorized modification of data, Security Bypass

Affected products: EspoCRM 2.x
Affected versions: EspoCRM 2.5.2, possibly earlier versions

Description:
The vulnerabilities allows a remote user to XSS-attacks and compromise a vulnerable system.

1. [CVE-2014-7985: PHP File Inclusion] The vulnerability is due to an error when processing of the input data in the HTTP GET parameter “action” in the script “/install/index.php” of the function “include ()”. This can be exploited to inject and execute arbitrary PHP file with the web-server privileges.

Note: Successful exploitation of the vulnerability allows to compromise a vulnerable system.

2. [CVE-2014-7986: Improper Access Control] The vulnerability is due to the fact that the application does not properly validate the fact installation of the script “/install/index.php”. A remote user can trigger a new installation and reinstall the application.

3. [CVE-2014-7987: Reflected Cross-Site Scripting] The vulnerability is due to an error when processing of the input data in the HTTP GET parameter “desc” in the script “/install/index.php”. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Solution: Install the latest version 2.6.0 from the manufacturer.

References:
http://blog.espocrm.com/news/espocrm-2-6-0-released/


espocrm logoManufacturer URL:
http://www.espocrm.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s