Three new vulnerabilities in the Open Source CRM EspoCRM: PHP File Inclusion, Improper Access Control and Reflected Cross-Site Scripting.
Danger level: High
Availability Corrections: Yes
Number of vulnerabilities: 3
(AV: N / AC: H / Au: N / C: C / I: C / A: C / E: U / RL: OF / RC: C) = Base: 7.6 / Temporal: 5.6
(AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: OF / RC: C) = Base: 5 / Temporal: 3.7
(AV: N / AC: M / Au: N / C: N / I: P / A: N / E: U / RL: OF / RC: C) = Base: 4.3 / Temporal: 3.2
Vector of operation: Remote
Impact: Cross-site scripting (XSS-attacks), Unauthorized modification of data, Security Bypass
Affected products: EspoCRM 2.x
Affected versions: EspoCRM 2.5.2, possibly earlier versions
The vulnerabilities allows a remote user to XSS-attacks and compromise a vulnerable system.
1. [CVE-2014-7985: PHP File Inclusion] The vulnerability is due to an error when processing of the input data in the HTTP GET parameter “action” in the script “/install/index.php” of the function “include ()”. This can be exploited to inject and execute arbitrary PHP file with the web-server privileges.
Note: Successful exploitation of the vulnerability allows to compromise a vulnerable system.
2. [CVE-2014-7986: Improper Access Control] The vulnerability is due to the fact that the application does not properly validate the fact installation of the script “/install/index.php”. A remote user can trigger a new installation and reinstall the application.
3. [CVE-2014-7987: Reflected Cross-Site Scripting] The vulnerability is due to an error when processing of the input data in the HTTP GET parameter “desc” in the script “/install/index.php”. This can be exploited via a specially crafted link to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 2.6.0 from the manufacturer.