SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
An attacker can send a specially crafted request to the events response entry point in the SuiteCRM application, injecting malicious SQL code. Lack of proper validation and sanitization of input data allows manipulation of database queries. The attack requires no authentication, user interaction, or special privileges, and its scope extends beyond the directly attacked component (Scope: Changed).
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and under favorable conditions take full control of the system β leading to violations of confidentiality, integrity, and availability of the application.
SuiteCRM should be updated to version 7.14.4 or 8.6.1, which contain a fix eliminating this vulnerability. Details are available in the vendor's references at: https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8
SuiteCRM (Salesagility) in versions earlier than 7.14.4 and earlier than 8.6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSalesagility Suitecrm
APPSalesagility< 7.14.48.0.0 β 8.6.1 (bez)
Related vulnerabilities
SQL Injection w SuiteCRM umoΕΌliwiajΔ ce zdalne wykonanie kodu (RCE)
SQL Injection w kontrolerze Alerts aplikacji SuiteCRM
SQL Injection w SuiteCRM β kontroler EmailUIAjax messages count
SQL Injection w SuiteCRM β punkt wejΕcia danych drzewa
SQL Injection w SuiteCRM β kontroler EmailUIAjax displayView