Arbitrary PHP Code Execution via Specially Crafted Zip Upload in EspoCRM 7.2.5

Arbitrary PHP Code Execution via Specially Crafted Zip Upload in EspoCRM 7.2.5

CVE-2023-5965 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.

Learn more about our Cis Benchmark Audit For Server Software.