Vulnerability Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of the SuiteCRM-instance. By simply viewing emails as the logged-in user, the payload can be triggered. With that, an attacker is able to run arbitrary actions as the logged-in user - like extracting data, or if it is an admin executing the payload, takeover the instance. This is fixed in versions 7.14.7.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Salesagility | Suitecrm | >= 7.14.0, < 7.14.7 |
Related Weaknesses (CWE)
References
- https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7Release Notes
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vg8q-xcq5-mh3pVendor Advisory
FAQ
What is CVE-2025-54784?
CVE-2025-54784 is a vulnerability with a CVSS score of 6.1 (MEDIUM). SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 thr...
How severe is CVE-2025-54784?
CVE-2025-54784 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54784?
Check the references section above for vendor advisories and patch information. Affected products include: Salesagility Suitecrm.