Reflected Cross-Site Scripting (XSS) in SuiteCRM
- SuiteCRM, versions prior to 7.14.1;
- SuiteCRM, versions prior to 8.8.1.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting SuiteCRM, a customer relationship management tool. The vulnerability was discovered by Sergio Marín Martínez.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41384 : CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerabilities have been fixed by the SuiteCRM team in versions 7.14.7 and 8.8.1.
CVE-2025-41384: Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but will allow the JavaScript code to execute.
