HTML injection in Tittle in salesagility/suitecrm


Reported on

Oct 6th 2023



ProC :`


HMTL injection.

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. 4 months ago
We have contacted a member of the salesagility/suitecrm team and are waiting to hear back 4 months ago
salesagility/suitecrm maintainer
4 months ago


Hi nam-no,

Thank you for your Security Report.

We have raised the issue from this report with our internal security team to be confirmed.

Below is a reference of the issue raised and ID allocated:

SCRMBT-#249 – HTML injection in Tittle in salesagility/suitecrm

We will review the issue and confirm whether or not it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or a more appropriate place.

Thank you for your contribution to the SuiteCRM project.

Kind regards, SuiteCRM Security Team

salesagility/suitecrm maintainer has acknowledged this report 4 months ago
salesagility/suitecrm maintainer
4 months ago


Hi @nam-no

The Security Team has now assessed the following issue:

SCRMBT-#249 – HTML injection in Title in salesagility/suitecrm

This issue has been given a severity grading of 'Moderate'. As such we are planning to schedule the fix to address this issue in to a release in the near future.

We would like to suggest a change in the CVSS rating to CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Medium 4.3), the following are the reasons for the change:

Attack Vector

  • Network
  • A victim must access a vulnerable system via the network.

Attack Complexity

  • Low

Privileges Required

  • Low
  • Requires an authenticated ueer

User Interaction

  • None


  • Unchanged
  • The vulnerability is exploited on the browser and the impact is to the user's browser.

Confidentiality Impact

  • None
  • Requires an authenticated user. Impacts the dashlet for a single user.

Integrity Impact

  • Low

Availability Impact

  • None

Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Once the issue is resolved on a CVE will be emitted. We will then update the release notes with this CVE.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team

4 months ago


Oh, this is great. Please make a release note, credit the discovery for this incident, and assign a CVE to it. I hope to receive a response from you soon. Thank you.

Clemente Raposo modified the Severity from Medium (6.5) to Medium (4.3) 4 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Clemente Raposo validated this vulnerability 4 months ago
nam-no has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
4 months ago


any new update?

Clemente Raposo marked this as fixed in 7.14.2, 7.12.14, 8.4.2 with commit 54bc56 3 months ago
Clemente Raposo has been awarded the fix bounty
This vulnerability has now been published 3 months ago
to join this conversation