As part of my ongoing hobbiest information security research I came across an XSS in the opensource SuiteCRM customer relationship management webapp, developed by Sales Agility.
There is a bug in the input validation of the name field of the client account page.
Accounts page bugs
- Double click the website field to edit it
- without saving the field, double click on email address to edit it and click ok at the popup
- the data from the name field will now overflow and be duplicated in the email field, both of which will now execute the injection above