CVE-2023-6126: HTML injection in Tittle in suitecrm

Hi @nam-no

The Security Team has now assessed the following issue:

SCRMBT-#249 – Huntr.dev: HTML injection in Title in salesagility/suitecrm

This issue has been given a severity grading of 'Moderate’. As such we are planning to schedule the fix to address this issue in to a release in the near future.

We would like to suggest a change in the CVSS rating to CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Medium 4.3), the following are the reasons for the change:

Attack Vector

• Network
• A victim must access a vulnerable system via the network.

Attack Complexity

• Low

Privileges Required

• Low
• Requires an authenticated ueer

User Interaction

• None

Scope

• Unchanged
• The vulnerability is exploited on the browser and the impact is to the user’s browser.

Confidentiality Impact

• None
• Requires an authenticated user. Impacts the dashlet for a single user.

Integrity Impact

• Low

Availability Impact

• None

Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Once the issue is resolved on huntr.dev a CVE will be emitted. We will then update the release notes with this CVE.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team