CNNVD-202510-1989 Information

CNNVD ID

CNNVD-202510-1989

Related CVE

CVE-2025-59428

• CNNVD Published: 2025-10-14

Description (Chinese)

EspoCRM是EspoCRM开源的一套开源的基于Web的客户关系管理系统（CRM）。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 9.1.9之前版本存在跨站请求伪造漏洞，该漏洞源于存储型SVG注入和缺少CSRF保护，可能导致任意用户创建和权限提升。

Description (English)

EspoCRM is an open-source web-based customer relationship management system (CRM) for EspoCRM. The system provides such functions as marketing automation, community and customer support. The pre-EspoCRM 9.1.9 version had a false gap in cross-site requests, which stemmed from a storage-type SVG injection and the lack of CSRF protection, which could lead to the creation and enhancement of any user ’ s rights.

Hazard Level

High

Vulnerability Type

跨站请求伪造

Published

2025-10-14

Last Modified

2026-02-24

References

https://github.com/espocrm/espocrm/security/advisories/GHSA-c26c-wvhr-fr6r https://access.redhat.com/security/cve/cve-2025-59428

Patch

https://www.espocrm.com/