#VU127393 Cross-site scripting in SuiteCRM - CVE-2024-50335
Published: November 5, 2024 / Updated: April 24, 2026
Vulnerability identifier: #VU127393
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-50335
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SuiteCRM
SuiteCRM
Software vendor:
SalesAgility
SalesAgility
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to cross-site scripting in the "Publish Key" field on the Edit Profile page when handling user-supplied input. A remote privileged user can inject malicious script to disclose sensitive information.
The injected script executes in the context of an authenticated user's session and can steal CSRF tokens that may be used to create unauthorized administrator users.
Remediation
Install security update from vendor's website.