EspoCRM Path Traversal Vulnerability in Admin Template Management Allowing Arbitrary File Manipulation

A path traversal vulnerability has been identified in EspoCRM versions prior to 9.3.4. The issue arises in the admin template management endpoints, which accept user-controlled 'name' and 'scope' values. These values are used to construct file paths without proper sanitization, allowing an authenticated admin to escape the intended template directory using '../' sequences. This exploitation can lead to reading, creating, overwriting, or deleting arbitrary files that correspond to 'body.tpl' or 'subject.tpl' under the user's filesystem permissions.

Impact

Exploitation of this vulnerability allows an authenticated admin to manipulate template files in unintended ways, potentially disrupting other application features that rely on these templates. Additionally, overwriting or deleting critical template files could impact application functionality. The vulnerability also poses a risk of exposing sensitive information if arbitrary files are read and contain confidential data.

Reproduction

The vulnerability can be reproduced by an authenticated admin user. First, access the admin template manager UI and send a POST request to the 'saveTemplate' action with a traversal payload in the 'name' field, along with 'subject' and 'body' content. This will create the files in a traversed directory outside the intended template path. After verifying the files were created, the same 'name' traversal payload can be used to read the files back through the 'getTemplate' action. Finally, the 'resetTemplate' action can be used to delete the traversed files, demonstrating the ability to manipulate files arbitrarily through the vulnerability.

Remediation

To address this vulnerability, do not allow user-controlled template identifiers to be concatenated directly into filesystem paths. Implement strict allowlisting for valid template names and scope values, reject path metacharacters before constructing paths, and verify that the final path remains within the intended template root. Apply these validations to both read and write/delete operations.