EspoCRM version 2.5.2 suffers from cross site scripting, local file inclusion, and improper access control vulnerabilities.