CVE-2025-32390

HIGH Year: 2025
Weakness Type
CWE-74
View all →

Vulnerability Description

EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and if they submit their credentials, they get captured in plain text. The vulnerability is allowed by overly permissive HTML editing being allowed on the KB articles. Any authenticated user with the privilege to read KB articles is impacted. In an enterprise with multiple applications, the malicious KB article could be edited to match the login pages of other applications, which would make it useful for credential harvesting against other applications as well. Version 9.0.8 contains a patch for the issue.

Related Vulnerabilities

CVE-2020-26282

CRITICAL
CVSS:10.0(Critical)

BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it i...

CWE-742020

CVE-2022-24760

CRITICAL
CVSS:10.0(Critical)

Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the...

CWE-742022

CVE-2023-1523

CRITICAL
CVSS:10.0(Critical)

Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary commands to be executed outside of the snap...

CWE-742023

CVE-2023-22527

CRITICAL
CVSS:10.0(Critical)

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version...

CWE-742023

CVE-2023-30547

CRITICAL
CVSS:10.0(Critical)

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to ra...

CWE-742023

CVE-2023-32314

CRITICAL
CVSS:10.0(Critical)

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a h...

CWE-742023