Reflected Cross-Site Scripting (XSS) in SuiteCRM_CVE-2025-41384

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but will allow the JavaScript code to execute.

Basic Information

ID CVE-2025-41384

Source INCIBE

Published Oct 27, 2025 at 12:53

Modified Oct 27, 2025 at 15:08

Affected Product

Vendor SuiteCRM

Product SuiteCRM

Version versions prior to 7.14.1 and prior to 8.8.1

Affected Versions SuiteCRM SuiteCRM versions prior to 7.14.1 and prior to 8.8.1

CWE Classification

CWE-79

References

www.incibe.es /en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-suitecrm

{
    "lastseen": "",
    "description": "Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but will allow the JavaScript code to execute.",
    "published": "2025-10-27T12:53:51.383Z",
    "modified": "2025-10-27T15:08:15.360Z",
    "type": "cve",
    "title": "Reflected Cross-Site Scripting (XSS) in SuiteCRM",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-suitecrm",
    "id": "CVE-2025-41384",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "SuiteCRM SuiteCRM versions prior to 7.14.1 and prior to 8.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SuiteCRM",
    "version": "versions prior to 7.14.1 and prior to 8.8.1",
    "vendor": "SuiteCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}