CRITICAL🇵🇱 Wersja polska

CVE-2024-36412

CVSS 10.0v3.1pub. 2024-06-10upd. 2024-11-21

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

🤖 AI Analysis
How it works

An attacker can send a specially crafted request to the events response entry point in the SuiteCRM application, injecting malicious SQL code. Lack of proper validation and sanitization of input data allows manipulation of database queries. The attack requires no authentication, user interaction, or special privileges, and its scope extends beyond the directly attacked component (Scope: Changed).

Impact

An attacker can gain unauthorized access to data stored in the database, modify or delete data, and under favorable conditions take full control of the system — leading to violations of confidentiality, integrity, and availability of the application.

Mitigation & patch

SuiteCRM should be updated to version 7.14.4 or 8.6.1, which contain a fix eliminating this vulnerability. Details are available in the vendor's references at: https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8

Who is affected

SuiteCRM (Salesagility) in versions earlier than 7.14.4 and earlier than 8.6.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Salesagility Suitecrm

    APP
    Salesagility
    < 7.14.48.0.0 – 8.6.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2022-50589CRITICAL9.3PL ✓ten sam produkt

SQL Injection w SuiteCRM umożliwiające zdalne wykonanie kodu (RCE)

CVE-2024-36408CRITICAL9.6PL ✓ten sam produkt

SQL Injection w kontrolerze Alerts aplikacji SuiteCRM

CVE-2024-36410CRITICAL9.6PL ✓ten sam produkt

SQL Injection w SuiteCRM — kontroler EmailUIAjax messages count

CVE-2024-36409CRITICAL9.6PL ✓ten sam produkt

SQL Injection w SuiteCRM — punkt wejścia danych drzewa

CVE-2024-36411CRITICAL9.6PL ✓ten sam produkt

SQL Injection w SuiteCRM — kontroler EmailUIAjax displayView