SuiteCRM Unauthenticated Reflected Cross-Site Scripting Vulnerability Allowing Account Takeover
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in SuiteCRM versions 7.14.7 and below. This issue allows unauthenticated users to execute arbitrary JavaScript in the context of the victim's browser. Successful exploitation could lead to full account takeover by, for example, modifying the login form to send credentials to an attacker-controlled server. The vulnerability requires the victim to click on a specially crafted link, which could be distributed through phishing, social media, or other channels.
Impact
Exploitation of this vulnerability allows for unauthenticated reflected Cross-Site Scripting, with the potential for full account takeover.
Reproduction
To reproduce this vulnerability, send a crafted link that exploits the reflected XSS issue to a victim. Once the victim clicks the link, the injected JavaScript will execute in their browser, potentially leading to account takeover.
Remediation
Users can upgrade to SuiteCRM version 7.14.8 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.