CVE-2025-32390

HIGH

Espocrm < 9.0.8 - Injection

Title source: rule

Description

EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and if they submit their credentials, they get captured in plain text. The vulnerability is allowed by overly permissive HTML editing being allowed on the KB articles. Any authenticated user with the privilege to read KB articles is impacted. In an enterprise with multiple applications, the malicious KB article could be edited to match the login pages of other applications, which would make it useful for credential harvesting against other applications as well. Version 9.0.8 contains a patch for the issue.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/espocrm/espocrm/security/advisories/GHSA-qrwp-v8v3-hqp2

Patch x_refsource_misc

https://github.com/espocrm/espocrm/commit/6b58d30eec8864de52844bfb8dac346ce5c729d7

View Patch ZIP pw:eip

Scores

CVSS v3 8.5

EPSS 0.0032

EPSS Percentile 55.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-74

Status published

Products (1)

espocrm/espocrm < 9.0.8

Published May 12, 2025

Tracked Since Feb 18, 2026