CVE-2018-20816

MEDIUM

SuiteCRM 7.0.0-7.8.23 & 7.10.0-7.10.10 - XSS & CSRF via Add Dashboard Pages

Title source: llm
STIX 2.1

Description

An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/salesagility/SuiteDocs/pull/198/files
Release Notes, Vendor Advisory x_refsource_misc
https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11
Release Notes, Vendor Advisory x_refsource_misc
https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24

Scores

CVSS v3 6.1
EPSS 0.0057
EPSS Percentile 43.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
salesagility/suitecrm 7.0.0 - 7.8.24
Published Apr 05, 2019
Tracked Since Feb 18, 2026