CVE-2025-59428— EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

跨站请求伪造(CSRF)

EspoCRM 跨站请求伪造漏洞

EspoCRM是EspoCRM开源的一套开源的基于Web的客户关系管理系统（CRM）。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 9.1.9之前版本存在跨站请求伪造漏洞，该漏洞源于存储型SVG注入和缺少CSRF保护，可能导致任意用户创建和权限提升。

N/A

N/A