Description

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.

INFO

Published Date :

2025-04-15T23:23:58.292Z

Last Modified :

2025-04-17T14:23:10.191Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-32385 vulnerability.

Vendors Products
Espocrm
  • Espocrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-32385.

URL Resource
https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact