How severe is CVE-2025-32385?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2025-32385?

This is classified as CWE-1021, which is a common weakness in software security.

CVE-2025-32385 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.

Related Vulnerabilities

CVE-2021-27375

MEDIUM

CVSS:5.3(Medium)

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.

CWE-10212021

CVE-2023-34658

MEDIUM

CVSS:5.3(Medium)

Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController.

CWE-10212023

CVE-2024-4950

MEDIUM

CVSS:5.3(Medium)

Inappropriate implementation in Downloads in Google Chrome prior to 125.0.6422.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted ...

CWE-10212024

CVE-2024-6466

MEDIUM

CVSS:5.3(Medium)

NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified.

CWE-10212024

CVE-2021-29827

MEDIUM

CVSS:5.2(Medium)

IBM InfoSphere Information Server 11.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit ...

CWE-10212021

CVE-2019-4285

MEDIUM

CVSS:5.4(Medium)

IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attack...

CWE-10212019