EspoCRM Stored Cross-User XSS Vulnerability via SVG Attachments

A stored cross-user cross-site scripting vulnerability has been identified in EspoCRM versions through 9.3.3. This issue allows authenticated users to upload SVG files as attachments, which can then execute JavaScript in the context of the user who opens the SVG. The vulnerability arises because the Content Security Policy (CSP) blocks inline scripts in SVGs but permits same-origin external scripts. An attacker can exploit this by uploading a malicious SVG that references an external JavaScript file, then tricking another user into opening the SVG, thereby executing the JavaScript in the victim's EspoCRM session.

Impact

Exploitation of this vulnerability allows for stored cross-user cross-site scripting, where uploaded SVG files can execute JavaScript in the context of the user who opens them. This could lead to unauthorized actions being performed in the user's session or sensitive data being accessed and exfiltrated.

Reproduction

To reproduce this vulnerability, upload a JavaScript file as an attachment that contains a script to execute, such as an alert command. Then, upload an SVG file that includes a reference to the JavaScript attachment using the download entry point. Finally, open the SVG through either the attachment or image entry points, which will trigger the JavaScript execution.

Remediation

Users are advised to update to EspoCRM version 9.3.4 or later. Additionally, do not allow user-uploaded SVG files to be served as active same-origin documents. Consider removing SVG from the allowed image types for attachments, sanitizing SVG files before storage, and implementing a restrictive CSP for SVG responses.