Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-24818

EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2.

Published

2024-03-21T02:52:12.073

Last Modified

2025-06-27T14:35:32.800

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-610
Type: Primary
CWE-601

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	espocrm	espocrm	< 8.1.2	Yes

References

https://github.com/espocrm/espocrm/commit/3babdfa3399e328fb1bd83a1b4ed03d509f4c8e7 Patch ([email protected])
https://github.com/espocrm/espocrm/security/advisories/GHSA-8gv6-8r33-fm7j Exploit, Vendor Advisory ([email protected])
https://github.com/espocrm/espocrm/commit/3babdfa3399e328fb1bd83a1b4ed03d509f4c8e7 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/espocrm/espocrm/security/advisories/GHSA-8gv6-8r33-fm7j Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)