Reflected Cross-Site Scripting due to Improper Sanitization in salesagility/suitecrm


Reported on

Oct 9th 2022


User Input that is reflected in a JavaScript Context is not properly sanitized. The User Input is reflected inside of a single-quoted string and single-quotes are encoded. However, there is an issue with the entity removing HTML <script> tags that prevents single-quotes from being encoded. This allows breaking out of the string context and injecting user input into a JavaScript context, resulting in XSS.

Proof of Concept

In the ComposeView for Emails, user input in the return_id parameter is reflected in the response inside a script-tag here:

        {* Compose view has a TEMP ID in case you want to display multi instance of the ComposeView *}
      $(document).ready(function() {ldelim}
        $('#ComposeView').EmailsComposeView({if $RETURN_MODULE != 'Emails' && $RETURN_ID}{ldelim}
          'attachment': {ldelim}
            'module': '{$RETURN_MODULE}',
            'id': '{$RETURN_ID}'

Breaking out by injecting a single-quote does not work since these are encoded. However, this can be bypassed by injecting a </script>-tag which is then removed by an implemented filter.


In order to leave the JavaScript syntax intact, the complete payload looks like this:

Full URL

SuiteCRM 7.12.7:


SuiteCRM 8.1.3:

Resulting JavaScript Code

The PoC results in the following JavaScript code:

      $(document).ready(function() {
          'attachment': {
            'module': 'Contacts',
            'id': '8331951d-e227-bf4a-4d9f-6342aee6edcc'}});alert`1`;});$(a).a(function(){$(a).a({1:{1:''


The impact is JavaScript code execution in the context of the victim, essentially leading to complete account takeover.


User Input should be properly sanitized before being inserted into a JavaScript context.

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. a year ago
We have contacted a member of the salesagility/suitecrm team and are waiting to hear back a year ago
Jack Anderson
a year ago


Hi Vautia,

Thank you for your Security Report.

We have raised the issue from this report with our internal security team to be confirmed.

Below is a reference of the issue raised and ID allocated:

  • SCRMBT-#212 - Reflected Cross-Site Scripting due to Improper Sanitization

We will review the issue and confirm if it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or a more appropriate place.

Thank you for your contribution to the SuiteCRM project.

We have sent a follow up to the salesagility/suitecrm team. We will try again in 7 days. a year ago
We have sent a second follow up to the salesagility/suitecrm team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the salesagility/suitecrm team. This report is now considered stale. a year ago
Pavlos validated this vulnerability 7 months ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 7.12.9 with commit c19f22 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability 7 months ago
ComposeView.tpl#L260 has been validated
to join this conversation