Cross-site scripting in SuiteCRM - CVE-2024-50335

 

Cross-site scripting in SuiteCRM - CVE-2024-50335

Published: November 5, 2024 / Updated: April 24, 2026


Vulnerability identifier: #VU127393
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-50335
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SalesAgility
Affected software:
SuiteCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to cross-site scripting in the "Publish Key" field on the Edit Profile page when handling user-supplied input. A remote privileged user can inject malicious script to disclose sensitive information.

The injected script executes in the context of an authenticated user's session and can steal CSRF tokens that may be used to create unauthorized administrator users.


How to mitigate CVE-2024-50335

Install security update from vendor's website.

Sources