The vulnerability allows an attacker to inject arbitrary JavaScript by sending a specially crafted return_id query value. Because the value is directly placed into an HTML attribute that is an event handler and wrapped in double quotes, the script runs when the resulting page is rendered in the victim’s browser. This blind XSS does not produce immediate visual feedback for the attacker but can execute code in the context of the target site. Based on the typical consequences of XSS, the attacker could potentially steal session data, modify page content, or perform other client‑side actions; however, the CVE description does not confirm any of these specific outcomes, so they remain inferred risks.

SuiteCRM installations running any release earlier than 7.15.1 in the 7.x series or earlier than 8.9.3 in the 8.x series are vulnerable. Versions 7.15.1 and 8.9.3 contain the fix that removes the unsafe echoing of return_id into the attribute.

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, reinforcing its perceived risk level. Exploitation requires an attacker to craft a request that includes a malicious return_id value and an end‑user to load the resulting page in a browser. Because the injection occurs in an event‑handler attribute, the attacker must entice a user to visit the page or embed it in an iframe or link; passive exploitation (e.g., via DNS) is not feasible. The impact is confined to the victim’s session and does not grant direct control over the server.