cvedb.io
CVE-2025-32789
LOW · CVSS 3.1
EPSS exploitation probability: 0%
Published 2025-04-16T22:15:14.800 · Last modified 2026-06-17T09:12:34.540

Summary

EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7.

Affected products

espocrm — espocrm

Does this affect you?

Add your gear to cvedb and we'll alert you only when espocrm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.