Security Research & Advisories

Stored Cross-Site Scripting Vulnerability in SuiteCRM

Product SuiteCRM
Affected Version(s) 7.11.13 and probably prior
Tested Version(s) 7.11.13
Vendor Notification June 12, 2020
Advisory Publication June 12, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 10, 2020
CVE Identifier(s) CVE-2020-14208
Product Description SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application SuiteCRM is affected by a stored Cross-Site Scripting (XSS) vulnerability affecting version 7.11.13 and probably prior versions. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML by uploading a document with a crafted payload.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.