Executive Summary

EspoCRM versions 9.3.3 and below allow authenticated users to upload SVG files as attachments. These SVG files are served as inline documents through attachment and image entry points. Although inline scripts in SVG are blocked by the Content-Security-Policy (CSP), the CSP still permits same-origin external scripts. An attacker can exploit this by uploading a malicious SVG file that references a separately uploaded attacker-controlled JavaScript file. When another user opens the SVG, the JavaScript executes within the victim's EspoCRM session, resulting in stored cross-site scripting (XSS).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to execute malicious JavaScript in the context of another user's authenticated EspoCRM session. This can lead to unauthorized reading of victim data, performing actions on behalf of the victim, exfiltrating authentication tokens, or escalating privileges within the application.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your EspoCRM instance allows authenticated users to upload SVG attachments and serves them as inline documents. You can check for the presence of SVG files uploaded by users and whether these files are accessible via image or attachment entry points.

Since the vulnerability involves stored cross-site scripting through SVG files referencing same-origin external JavaScript, you can look for SVG files that include external script references.

Suggested commands to detect potentially malicious SVG files on your server include searching for SVG files containing script references. For example, on the server hosting EspoCRM, you can run:

• grep -ril '<script' /path/to/espocrm/attachments
• grep -ril 'xlink:href' /path/to/espocrm/attachments | xargs grep -l '.js'

Additionally, monitoring network traffic for requests to SVG files and associated JavaScript files from authenticated sessions may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading EspoCRM to version 9.3.4 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, you can mitigate the issue by:

• Removing SVG from the list of allowed image types for attachments.
• Sanitizing SVG content to remove any script references or external script calls.
• Serving SVG files from an untrusted origin to prevent same-origin script execution.
• Enforcing stricter Content-Security-Policy (CSP) headers that block same-origin external scripts in SVG files.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in EspoCRM allows attackers to execute stored cross-site scripting (XSS) attacks, which can lead to unauthorized access to victim data, execution of actions on behalf of users, and exfiltration of tokens. Such unauthorized data access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Specifically, the ability of an attacker to read victim data and perform actions within the authenticated EspoCRM session could result in violations of confidentiality and integrity requirements mandated by these standards.

Useful 0 Not Useful 0