{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32385", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-06T19:46:02.462Z", "datePublished": "2025-04-15T23:23:58.292Z", "dateUpdated": "2025-04-17T14:23:10.191Z"}, "containers": {"cna": {"title": "EspoCRM allows unrestricted Embedding in Iframe dashlet", "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "lang": "en", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8"}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"version": "< 9.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-15T23:23:58.292Z"}, "descriptions": [{"lang": "en", "value": "EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5."}], "source": {"advisory": "GHSA-2rf2-mj98-2fr8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-17T14:23:01.556382Z", "id": "CVE-2025-32385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T14:23:10.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-17T14:23:01.556382Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T14:23:06.395Z"}}], "cna": {"title": "EspoCRM allows unrestricted Embedding in Iframe dashlet", "source": {"advisory": "GHSA-2rf2-mj98-2fr8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"status": "affected", "version": "< 9.0.5"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8", "name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-15T23:23:58.292Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32385", "state": "PUBLISHED", "dateUpdated": "2025-04-17T14:23:10.191Z", "dateReserved": "2025-04-06T19:46:02.462Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-15T23:23:58.292Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5."}, {"lang": "es", "value": "EspoCRM es un software de c\u00f3digo abierto para la gesti\u00f3n de relaciones con clientes. Antes de la versi\u00f3n 9.0.5, el dashlet de iframe permit\u00eda al usuario mostrar iframes con URL arbitrarias. Como el atributo de la sandbox no est\u00e1 incluido en el iframe, la p\u00e1gina remota puede abrir ventanas emergentes fuera de \u00e9l, lo que podr\u00eda enga\u00f1ar a los usuarios y crear un riesgo de phishing. La URL del iframe est\u00e1 definida por el usuario, por lo que un atacante tendr\u00eda que enga\u00f1arlo para que especifique una URL maliciosa. La ausencia del atributo de la sandbox tambi\u00e9n permite que la p\u00e1gina remota env\u00ede mensajes al marco principal. Sin embargo, EspoCRM no utiliza estos mensajes. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 9.0.5."}], "id": "CVE-2025-32385", "lastModified": "2025-04-16T13:25:37.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-04-16T00:15:19.907", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}