Platform
php
Component
suitecrm
Opgelost in
7.14.1
CVE-2023-5351 is a stored Cross-Site Scripting (XSS) vulnerability affecting SuiteCRM versions prior to 7.14.1. This vulnerability allows attackers to inject malicious scripts into the application, which are then executed in the browsers of unsuspecting users. Successful exploitation could lead to session hijacking, data theft, or defacement of the SuiteCRM instance. Affected versions include all releases up to and including 7.14.1; the vulnerability has been resolved in version 7.14.1.
The impact of CVE-2023-5351 is significant due to the nature of XSS vulnerabilities. An attacker could inject malicious JavaScript code into SuiteCRM, which would then be executed whenever a user views the affected page. This could allow the attacker to steal session cookies, effectively hijacking the user's account and gaining unauthorized access to sensitive data. Furthermore, the attacker could use the injected script to redirect users to phishing sites, display fake login forms, or modify the content of the page to mislead users. The blast radius extends to all users of the affected SuiteCRM instance, and the potential for widespread compromise is high, particularly if the system handles sensitive customer or financial data. The stored nature of the XSS means the malicious script persists until removed, potentially affecting numerous users over time.
CVE-2023-5351 was published on October 3, 2023. While no active campaigns targeting this specific vulnerability have been publicly reported, the ease of exploitation associated with XSS vulnerabilities means it remains a potential target. The vulnerability is present in the GitHub repository salesagility/suitecrm, indicating it is publicly accessible. Severity is rated as High (CVSS 8.9) reflecting the potential for significant impact. No KEV or EPSS score is currently available.
Exploit Status
EPSS
0.13% (32% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-5351 is to upgrade SuiteCRM to version 7.14.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation and output encoding should be implemented on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Review and sanitize any custom code or plugins that interact with user input. After upgrading to 7.14.1, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a form field and confirming that the script is not executed.
Actualice SuiteCRM a la versión 7.14.1 o superior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada. La actualización se puede realizar a través del panel de administración de SuiteCRM o descargando la última versión del sitio web oficial y siguiendo las instrucciones de actualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a High severity Cross-Site Scripting (XSS) vulnerability in SuiteCRM versions up to 7.14.1, allowing attackers to inject malicious scripts.
If you are using SuiteCRM versions 7.14.1 or earlier, you are potentially affected by this vulnerability.
Upgrade SuiteCRM to version 7.14.1 or later. Implement input validation and output encoding as a temporary measure.
No active campaigns have been publicly reported, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official SuiteCRM security advisory and the NVD entry for CVE-2023-5351 for more details.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.