What is CVE-2025-32385?

CVE-2025-32385 is a medium-severity vulnerability in Espocrm, classified under Improper Restriction of Rendered UI Layers or Frames (Clickjacking). CVSS score: 5.3/10. Published 2025-04-15.

How severe is CVE-2025-32385?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Espocrm

CVE-2025-32385

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups…

EPSS: 0.004 (59.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N.

Affected products

Espocrm — versions < 9.0.5

Weakness classification (CWE)

CWE-1021 — Improper Restriction of Rendered UI Layers or Frames (Clickjacking)

References

https://github.com/espocrm/espocrm/security/advisories/GHSA-2rf2-mj98-2fr8 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-32385?: CVE-2025-32385 is a medium-severity vulnerability in Espocrm, classified under Improper Restriction of Rendered UI Layers or Frames (Clickjacking). CVSS score: 5.3/10. Published 2025-04-15.
How severe is CVE-2025-32385?: Medium severity. CVSS v3 base score is 5.3 out of 10.