CVE-2021-3539 MEDIUM

CVE-2021-3539: EspoCRM Avatar Persistent XSS

Vendor Espocrm

Product EspoCRM

Weakness CWE-79 · XSS

Published August 4, 2021

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.

Key dates

02Disclosure timeline

August 4, 2021 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-3539 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-1796 StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting CVE-2024-25094 WordPress PJ News Ticker Plugin <= 1.9.5 is vulnerable to Cross Site Scripting (XSS) CVE-2021-25083 Registrations for the Events Calendar < 2.7.10 - Reflected Cross-Site Scripting CVE-2025-9488 Redux Framework <= 4.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data Parameter CVE-2024-28095 Stored Cross-site Scripting in News functionality in Schoolbox