CVE-2024-24818
Published: 21 March 2024
Summary
CVE-2024-24818 is a medium-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Espocrm Espocrm. Its CVSS base score is 5.9 (Medium).
Operationally, ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22188
Vulnerability details
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed…
more
in 8.1.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.
Validates redirect targets and URLs to ensure they conform to allowed destinations.
Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative.