Primary

Context

EspoCRM Iframe Dashlet Phishing Vulnerability

Vulnerability

Patched

A vulnerability in EspoCRM versions prior to 9.0.5 allows the Iframe dashlet to display iframes with arbitrary URLs. The absence of the sandbox attribute in the iframe enables remote pages to open popups outside the iframe, creating a potential phishing risk by tricking users. Additionally, the user-defined iframe URL could be exploited by an attacker who convinces the user to enter a malicious URL. The missing sandbox attribute also permits remote pages to send messages to the parent frame, although EspoCRM does not utilize these messages.

Impact

This vulnerability could be exploited to conduct phishing attacks by tricking users into interacting with popups generated by a malicious iframe.

Remediation

Users can upgrade to EspoCRM version 9.0.5 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

6.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

6.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EspoCRM Iframe Dashlet Phishing Vulnerability

Vulnerability

Impact

Remediation

Affected Products

EspoCRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating