EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function

EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

信息暴露

EspoCRM 安全漏洞

EspoCRM是EspoCRM开源的一套开源的基于Web的客户关系管理系统（CRM）。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 9.0.7之前版本存在安全漏洞，该漏洞源于密码哈希排序不当，可能导致密码哈希泄露。

N/A

N/A