The vulnerability is a reflected or stored cross‑site scripting flaw that allows an attacker to embed malicious scripts within the Social Media link fields of a user’s profile. When another user views the profile, the embedded script executes in the victim’s browser, which can be used to steal session cookies, hijack user accounts, or perform actions on behalf of the victim. Because the attacker can manipulate the content that is rendered by the target’s browser, the impact ranges from data theft to complete privilege escalation within the system.

RockRMS, the common open‑source customer relationship management platform, is affected in all releases from version 16.13 up to and including 17.7.0. The issue arises in the user profile module, specifically where Social Media link URLs are displayed without proper sanitization. Administrators should monitor for subsequent releases that address this flaw, as no specific fixed version is identified in the data.

The CVSS score is 9, and no EPSS score has been reported, indicating that there is currently no widespread evidence of exploitation. Nonetheless, XSS vulnerabilities typically carry high severity because they can be abused to hijack user sessions or force administrative actions. The exploitation path requires the attacker to first inject a malicious payload into a Social Media link and then persuade or trick a victim to view the compromised profile. The vulnerability is listed in no KEV catalog, so it is not confirmed as part of known exploits, but administrators should view it as a high‑risk issue pending an update. The likely attack vector involves an attacker injecting malicious content into the Social Media link field of a user profile that is rendered to other users, which is inferred from the description that the flaw is in Social Media links.