CVE-2021-39268: XSS
First published: Wed Aug 18 2021(Updated: )
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SalesAgility SuiteCRM | <7.11.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of the persistent cross-site scripting (XSS) vulnerability in SuiteCRM?
The vulnerability ID is CVE-2021-39268.
What is the severity of CVE-2021-39268?
The severity of CVE-2021-39268 is medium with a CVSS score of 6.1.
What is the affected software version of CVE-2021-39268?
The affected software version is SuiteCRM before 7.11.19.
How does CVE-2021-39268 work?
CVE-2021-39268 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files by bypassing the clean_file_output protection mechanism.
How can the persistent cross-site scripting (XSS) vulnerability in SuiteCRM be fixed?
To fix the persistent cross-site scripting (XSS) vulnerability in SuiteCRM, update to version 7.11.19 or later as recommended by the vendor SalesAgility.
- collector/nvd-index
- vendor/salesagility
- canonical/salesagility suitecrm