An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.CreditsPedro José Navas PérezReferenceshttps://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrm
