CVE-2024-24818 MEDIUM

CVE-2024-24818: EspoCRM weakness in "Forgot password"

Vendor Espocrm
Product espocrm
Weakness CWE-610
Published February 29, 2024
Last update August 5, 2024

CVSS base score

5.9/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.

Key dates

02Disclosure timeline

February 29, 2024 CVE published
August 5, 2024 Record updated