CVE-2025-59428
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | to 9.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59428 is a vulnerability in EspoCRM versions before 9.1.9 that allows an attacker with Knowledge Base edit permissions to embed a malicious SVG element containing a link in an article's body field. When an authenticated user clicks this malicious SVG link, they are redirected to an attacker-controlled page that automatically sends a CSRF request to the EspoCRM user creation API endpoint. If the victim authenticates when prompted, the attacker can create arbitrary user accounts, including administrative ones, effectively escalating privileges and compromising the system. This happens due to a combination of stored SVG injection and lack of CSRF protection on the user creation API. [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary creation of user accounts with attacker-controlled attributes, including administrative privileges. If an administrator interacts with the malicious SVG content, the attacker can escalate privileges and fully compromise the EspoCRM system. This can result in unauthorized access, control over sensitive customer relationship management data, and potential further exploitation of the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for suspicious SVG content in user-editable fields, especially looking for SVG <a> tags linking to external or attacker-controlled URLs. Additionally, network monitoring for POST requests to the /api/v1/User endpoint originating from user browsers after clicking suspicious links can help detect exploitation attempts. Commands to detect suspicious SVG content might include searching the database or files for SVG <a> tags, for example using grep: grep -r '<svg' /path/to/espocrm/data or grep -r '<a href=' /path/to/espocrm/data. Network traffic can be inspected using tools like tcpdump or Wireshark to filter POST requests to /api/v1/User. For example, using tcpdump: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep '/api/v1/User'. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading EspoCRM to version 9.1.9 or later where the vulnerability is patched. Additionally, sanitize and restrict SVG/HTML rendering in user-editable fields to prevent injection of malicious SVG content. Implement validation of Origin and Referer headers on requests to the /api/v1/User endpoint to prevent CSRF attacks. Applying Content Security Policy (CSP) to restrict administrative actions to trusted domains is also recommended. [1]