CSV Injection in Create Contacts in EspoCRM 7.1.8: Remote Command Execution via Malicious CSV Payloads

CVE-2022-38844 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

Learn more about our Contact.