EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

对路径名的限制不恰当(路径遍历)

EspoCRM 路径遍历漏洞

EspoCRM是EspoCRM开源的一套开源的基于Web的客户关系管理系统（CRM）。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 9.3.4之前版本存在路径遍历漏洞，该漏洞源于内置公式脚本引擎允许更新附件的sourceId，导致经过身份验证的管理员可以覆盖Attachment实体的sourceId字段。由于sourceId在EspoUploadDir::getFilePath中未经清理直接拼接到文件路径，攻击者可以将任何文件读写操作重定向到Web服务器open_basedir范围内的任意

N/A

N/A