Current version of EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Knowledge base. Malicious attacker can inject JavaScript code in the "body" parameter during knowledge base record creation. PoC contains a link, which will execute javascript code after being clicked.
PoC
Make the following request (insert your authentication data and hostname)
Description
Current version of EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in Knowledge base. Malicious attacker can inject JavaScript code in the "body" parameter during knowledge base record creation. PoC contains a link, which will execute javascript code after being clicked.
PoC
Make the following request (insert your authentication data and hostname)
The text was updated successfully, but these errors were encountered: