Security Research & Advisories

Stored Cross-Site Scripting Vulnerability in SuiteCRM

Product SuiteCRM
Affected Version(s) 7.11.13 and probably prior and probably prior
Tested Version(s) 7.11.13
Vendor Notification 12 June 2020
Advisory Publication 12 June 2020 [without technical details]
Vendor Fix 7.11.17
Public Disclosure 05 November 2020
Latest Modification 05 November 2020
CVE Identifier CVE-2020-14208
Product Description SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Open
Vulnerability Description
The application SuiteCRM is affected by a stored Cross-Site Scripting (XSS) vulnerability affecting version 7.11.13 and probably prior versions. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML by uploading a document with a crafted payload.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact Low



SuiteCRM application has a stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content. 

The following payload was successfully submitted to the server in the document´s content:

<script type="text/javascript">alert("@nogagmx");</script>

Exploitation Process

The following screenshot shows the “Documents” module which allow users to upload files.

To exploit the vulnerability, a txt file can be uploaded. The screenshot below shows the content of the “message.txt” file. As it can be observed, the payload is a simple alert which will display the message “@nogagmx”

The screenshots below show the request made to the server when the user uploads the “message.txt” file.

After following the redirection, the content of the file can be visualized by clicking on the eye symbol as shown the screenshot below:

After that, a new browser tab is opened and the payload previously injected in the document’s content is successfully executed.