EspoCRM Authenticated Remote Code Execution Vulnerability via Attachment Source ID Overwrite

A critical remote code execution vulnerability exists in EspoCRM versions prior to 9.3.4. The issue arises from the formula scripting engine, which allows authenticated admin users to overwrite the `sourceId` field of `Attachment` entities. This `sourceId` is then used to construct file paths without proper sanitization, enabling path traversal. As a result, an attacker can manipulate file read or write operations to target arbitrary locations within the web server's `open_basedir` scope.

Impact

Exploitation of this vulnerability allows authenticated admin users to execute arbitrary commands on the server with the privileges of the web server user.

Reproduction

The vulnerability can be reproduced by creating an `Attachment` entity and uploading a benign file. Then, the `sourceId` is overwritten with a path traversal string that points to a location within the web server's document root. After redirecting the `sourceId` to a `.htaccess` file and appending a directive to execute a PHP web shell, the uploaded shell can be accessed and used to execute commands on the server.

Remediation

Users are advised to update EspoCRM to version 9.3.4 or later.