An authenticated administrator can exploit a file path manipulation flaw in EspoCRM to read or write arbitrary files on the underlying web server.

The vulnerability resides in the EspoUploadDir::getFilePath() method, where unsanitized sourceId parameters allow an authenticated administrator to escape intended directory constraints.

While the attack requires administrative authentication, the ability to overwrite or read arbitrary files can lead to full application compromise or sensitive data theft, including configuration files and credentials. With a CVSS score of 9.1, this flaw poses a severe threat to the integrity and confidentiality of the CRM data and the host server.

Immediate Action: Update EspoCRM to version 9.3.4 or later.

Proactive Monitoring: Audit logs for suspicious file system operations, specifically those involving unexpected paths or attempts to access system-level files.

Compensating Controls: Ensure the web server process runs with the least privilege necessary, strictly adhering to open_basedir restrictions to limit the scope of potential file access.

Public Exploit Available: false

Administrators should apply the security update immediately. Given that this vulnerability allows for file system manipulation, internal security teams should also audit administrative accounts for unauthorized activity or signs of privilege abuse.