EspoCRM Stored HTML Injection Vulnerability in Email Notifications

A stored HTML injection vulnerability has been identified in EspoCRM versions through 9.3.3. This vulnerability allows authenticated users with standard privileges to inject arbitrary HTML into system-generated email notifications. The issue arises because the 'post' field in stream activity notes is rendered using unescaped Handlebars triple-brace syntax, which preserves inline HTML by default. Additionally, the rendering pipeline skips sanitization for fields in 'additionalData', allowing attacker-controlled HTML to be accepted, stored, and rendered in emails without escaping. As a result, injected content appears trusted to recipients, enabling phishing attacks, user tracking through embedded resources, and manipulation of the email's user interface. The vulnerability's impact is heightened by the '@mention' feature, which can target specific users.

Impact

Exploitation of this vulnerability allows for the injection of HTML into trusted system emails, creating opportunities for phishing attacks, user tracking via embedded resources, and manipulation of the email content's user interface. The '@mention' feature can be used to target specific users with malicious emails.

Reproduction

To reproduce this vulnerability, authenticate as a regular user with standard privileges. Send a POST request to the '/api/v1/Note' endpoint, including injected HTML in the 'post' field. The request will succeed, and an email notification will be sent containing the unescaped HTML. External resources, such as tracking pixels, will be requested when the email is opened.

Remediation

Users can update to EspoCRM version 9.3.4, where this vulnerability has been fixed.