{"id":"CVE-2025-54784","summary":"SuiteCRM is vulnerable to Cross Site Scripting (XSS) through its email viewer","details":"SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of the SuiteCRM-instance. By simply viewing emails as the logged-in user, the payload can be triggered. With that, an attacker is able to run arbitrary actions as the logged-in user - like extracting data, or if it is an admin executing the payload, takeover the instance. This is fixed in versions 7.14.7.","aliases":["GHSA-vg8q-xcq5-mh3p"],"modified":"2026-04-10T05:29:40.491592Z","published":"2025-08-07T00:07:07.525Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54784.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54784.json"},{"type":"ADVISORY","url":"https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vg8q-xcq5-mh3p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54784"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/salesagility/suitecrm","events":[{"introduced":"bd9328e79f39ad0f49a53f609bfb5e42762b5fd8"},{"fixed":"55921fe6c5fd5e2f81fc401e2d9ac8653cfbb8b5"}],"database_specific":{"versions":[{"introduced":"7.14.0"},{"fixed":"7.14.7"}]}}],"versions":["v7.14.0","v7.14.1","v7.14.2","v7.14.3","v7.14.4","v7.14.5","v7.14.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54784.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/salesagility/suitecrm-core","events":[{"introduced":"0820b6acc28a04b6386dc860f15ded621b8add27"},{"fixed":"3e06d0f16a8a7c2cf27062372e87a134d7a032c8"}],"database_specific":{"versions":[{"introduced":"8.6.0"},{"fixed":"8.8.1"}]}}],"versions":["v8.6.0","v8.6.1","v8.6.2","v8.7.0","v8.7.0-beta","v8.7.1","v8.8.0","v8.8.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54784.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/suitecrm/suitecrm","events":[{"introduced":"bd9328e79f39ad0f49a53f609bfb5e42762b5fd8"},{"fixed":"55921fe6c5fd5e2f81fc401e2d9ac8653cfbb8b5"}],"database_specific":{"versions":[{"introduced":"7.14.0"},{"fixed":"7.14.7"}]}}],"versions":["v7.14.0","v7.14.1","v7.14.2","v7.14.3","v7.14.4","v7.14.5","v7.14.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54784.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}