CVE-2025-32789 LOW

CVE-2025-32789: EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function

Vendor Espocrm

Product espocrm

Weakness CWE-200 · Info exposure

Published April 16, 2025

Last update April 17, 2025

View on NVD All CVEs

CVSS base score

3.1/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7.

Key dates

02Disclosure timeline

April 16, 2025 CVE published

April 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-32789 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2024-7418 The Post Grid <= 7.7.11 - Authenticated (Contributor+) Information Disclosure CVE-2022-31130 Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins CVE-2025-12492 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure CVE-2024-13641 Return Refund and Exchange For WooCommerce <= 4.4.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory CVE-2023-46701 Inaccessible Post Information Leak via Run Timeline IDOR