{"api_version":"1","generated_at":"2026-04-24T03:59:37+00:00","cve":"CVE-2018-20816","urls":{"html":"https://cve.report/CVE-2018-20816","api":"https://cve.report/api/cve/CVE-2018-20816.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-20816","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-20816"},"summary":{"title":"CVE-2018-20816","description":"An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the \"add dashboard pages\" feature where users can receive a malicious attack through a phished URL, with script executed.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-04-05 16:29:00","updated_at":"2021-07-22 15:50:00"},"problem_types":["CWE-352","CWE-79"],"metrics":[],"references":[{"url":"https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11","name":"https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"7.10.x Releases :: Docs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/salesagility/SuiteDocs/pull/198/files","name":"https://github.com/salesagility/SuiteDocs/pull/198/files","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Update Releases (7.10.11) .adoc by cameronblaikie · Pull Request #198 · salesagility/SuiteDocs · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24","name":"https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"7.8.x Releases :: Docs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-20816","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20816","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"20816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"salesagility","cpe5":"suitcrm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"20816","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"salesagility","cpe5":"suitcrm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"20816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"salesagility","cpe5":"suitecrm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-20816","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the \"add dashboard pages\" feature where users can receive a malicious attack through a phished URL, with script executed."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/salesagility/SuiteDocs/pull/198/files","refsource":"MISC","name":"https://github.com/salesagility/SuiteDocs/pull/198/files"},{"url":"https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11","refsource":"MISC","name":"https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11"},{"url":"https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24","refsource":"MISC","name":"https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24"}]}},"nvd":{"publishedDate":"2019-04-05 16:29:00","lastModifiedDate":"2021-07-22 15:50:00","problem_types":["CWE-352","CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*","versionStartIncluding":"7.10.00","versionEndExcluding":"7.10.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.8.24","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"20816","Ordinal":"149162","Title":"CVE-2018-20816","CVE":"CVE-2018-20816","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"20816","Ordinal":"1","NoteData":"An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the \"add dashboard pages\" feature where users can receive a malicious attack through a phished URL, with script executed.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"20816","Ordinal":"2","NoteData":"2019-04-05","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"20816","Ordinal":"3","NoteData":"2019-04-05","Type":"Other","Title":"Modified"}]}}}