CVE-2018-20816

Published: Apr 5, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.

Affected (2)

Products: Salesagility: Suitecrm

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Salesagility Suitecrm	From 7.0.0 to 7.8.24
Salesagility Suitecrm	From 7.10.00 to 7.10.11

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11

Source: cve@mitre.org

Release NotesVendor Advisory

https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/salesagility/SuiteDocs/pull/198/files

Source: cve@mitre.org

PatchThird Party Advisory

https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://github.com/salesagility/SuiteDocs/pull/198/files

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.