Multiple vulnerabilities in EspoCRM

Posted date 10/11/2023
5 - Critical
Affected Resources

EspoCRM, versions equal or previous to 7.5.2.


INCIBE has coordinated the publication of 2 vulnerabilities that affect EspoCRM, which have been discovered by Pedro José Navas Pérez from Hispasec.

These vulnerabilities has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-5965 y CVE-2023-5966: CVSS v3.1: 9.1 | CVSS: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CWE-434.

Users with administrator profile can load extensions and updates by design, as this is a functionality that most users use and request. It is possible to restrict exploitation of the vulnerability by enabling the "restrictedMode" option in the configuration menu.

  • CVE-2023-5965 and CVE-2023-5966: an authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form and the extension deployment form respectively, which could lead to arbitrary PHP code execution.
References list