CVE-2024-24818— EspoCRM weakness in "Forgot password"
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-24818
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EspoCRM weakness in "Forgot password"
Source: NVD (National Vulnerability Database)
Vulnerability Description
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
资源在另一范围的外部可控制索引
Source: NVD (National Vulnerability Database)
Vulnerability Title
EspoCRM 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
EspoCRM是一套开源的基于Web的客户关系管理系统(CRM)。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 8.1.1及之前版本存在安全漏洞,该漏洞源于允许攻击者在Password Change页面中注入任意IP或域,并将受害者重定向到恶意页面。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-24818
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-24818
请登录查看更多情报信息。
- https://github.com/espocrm/espocrm/security/advisories/GHSA-8gv6-8r33-fm7jx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-24818
IV. Related Vulnerabilities
Same product: espocrm
- CVE-2026-33733
EspoCRM has Admin TemplateManager path traversal that allows - CVE-2026-33656
EspoCRM vulnerable to authenticated RCE via Formula with pat - CVE-2026-33740
EspoCRM: Email importEml can import and delete another user' - CVE-2026-33659
EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl E - CVE-2026-33657
EspoCRM: Stored HTML injection in email notifications about
Same vendor: espocrm
- CVE-2026-33733
EspoCRM has Admin TemplateManager path traversal that allows - CVE-2026-33656
EspoCRM vulnerable to authenticated RCE via Formula with pat - CVE-2026-33740
EspoCRM: Email importEml can import and delete another user' - CVE-2026-33659
EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl E - CVE-2026-33657
EspoCRM: Stored HTML injection in email notifications about
Same weakness: CWE-610
V. Comments for CVE-2024-24818
No comments yet