Description
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.
Problem types
CWE-284: Improper Access Control
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862: Missing Authorization
Product status
References
github.com/...spocrm/security/advisories/GHSA-c3rm-m24p-255p
github.com/...spocrm/security/advisories/GHSA-c3rm-m24p-255p