CVE-2024-50335

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.6 SuiteCRM versions prior to 8.7.1

Description: The issue arises due to insufficient input validation and sanitization of the Publish Key field within the SuiteCRM application, allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions, such as creating new administrative users without proper authentication. When an attacker injects a malicious script, it gets executed within the context of an authenticated user's session. The injected script then leverages the captured CSRF token to forge requests that create new administrative users, effectively compromising the integrity and security of the CRM instance.

Recommendations: For versions prior to 7.14.6, upgrade to version 7.14.6 or later. For versions prior to 8.7.1, upgrade to version 8.7.1 or later. As a temporary workaround, consider restricting access to the Publish Key field in the Edit Profile page until a patch is available.