EspoCRM Arbitrary User Creation Vulnerability via Stored SVG Injection and CSRF

A vulnerability in EspoCRM allows for arbitrary user creation, including administrative accounts, in versions prior to 9.1.9. This issue arises from a combination of stored SVG injection and inadequate Cross-Site Request Forgery (CSRF) protection. An attacker with Knowledge Base edit permissions can insert a malicious SVG link into an article's body. When clicked by an authenticated user, the link redirects to an attacker-controlled HTML page that executes a CSRF request to the api/v1/User endpoint. If the victim enters their credentials, an account is created with privileges defined by the CSRF payload.

Impact

Exploitation of this vulnerability allows for arbitrary user creation with attacker-defined attributes, including administrative rights. If an administrator is tricked into clicking the malicious link, the attacker gains full control over the system.

Reproduction

To reproduce this vulnerability, an attacker must have Knowledge Base edit permissions. They can embed a malicious SVG payload into the body field of an article. This payload should include a link to an attacker-controlled HTML page that, when accessed, automatically submits a CSRF request to the api/v1/User endpoint, creating a user account with specified attributes.

Remediation

Users are advised to update to EspoCRM version 9.1.9 or later. Additionally, SVG and HTML rendering in user-editable fields should be sanitized and restricted. Origin or Referer headers should be validated for requests to the api/v1/User endpoint, and administrative actions should be restricted to trusted domains via Content Security Policy.