CVE-2018-20816

EUVD-2018-13358
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
salesagilitysuitecrm
7.0.0 ≤
𝑥
< 7.8.24
salesagilitysuitecrm
7.10.00 ≤
𝑥
< 7.10.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11
https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24
https://github.com/salesagility/SuiteDocs/pull/198/files
https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11
https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24
https://github.com/salesagility/SuiteDocs/pull/198/files