CVE-2022-38844

HIGH

EspoCRM 7.1.8 - Command Injection

Title source: llm

Description

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

References (1)

[Exploit, Third Party Advisory] https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76

Scores

CVSS v3 8.0

EPSS 0.0068

EPSS Percentile 71.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

espocrm/espocrm 7.1.8

Published Sep 16, 2022

Tracked Since Feb 18, 2026