CVE-2024-36415 - Vulnerability Details - OpenCVE

Description

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

Published: 2024-06-10

Score: 9.1 Critical

EPSS: 4.0% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

salesagility

SuiteCRM

affected

Version	Status	Constraints
`< 7.14.4`	affected	—
`>= 8.0.0, < 8.6.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:salesagility:suitecrm::::::::
	cpe:2.3:a:salesagility:suitecrm::::::::

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-36072	SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.03998.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh

History

No history.

Subscriptions

Salesagility Suitecrm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-10T19:49:54.382Z

Updated: 2024-08-02T03:37:05.143Z

Reserved: 2024-05-27T15:59:57.033Z

Link: CVE-2024-36415

Vulnrichment

Updated: 2024-06-11T19:08:37.226Z

NVD

Status : Modified

Published: 2024-06-10T20:15:14.503

Modified: 2024-11-21T09:22:07.970

Link: CVE-2024-36415

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36415", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-27T15:59:57.033Z", "datePublished": "2024-06-10T19:49:54.382Z", "dateUpdated": "2024-08-02T03:37:05.143Z"}, "containers": {"cna": {"title": "SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh"}], "affected": [{"vendor": "salesagility", "product": "SuiteCRM", "versions": [{"version": "< 7.14.4", "status": "affected"}, {"version": ">= 8.0.0, < 8.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-10T19:49:54.382Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue."}], "source": {"advisory": "GHSA-c82f-58jv-jfrh", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "salesagility", "product": "suitecrm", "cpes": ["cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "7.14.4", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "8.6.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T19:08:56.644547Z", "id": "CVE-2024-36415", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T19:09:00.277Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:37:05.143Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36415", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-11T19:08:56.644547Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"], "vendor": "salesagility", "product": "suitecrm", "versions": [{"status": "affected", "version": "0", "lessThan": "7.14.4", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "8.6.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T19:08:37.226Z"}}], "cna": {"title": "SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution", "source": {"advisory": "GHSA-c82f-58jv-jfrh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "salesagility", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.14.4"}, {"status": "affected", "version": ">= 8.0.0, < 8.6.1"}]}], "references": [{"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh", "name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-10T19:49:54.382Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36415", "state": "PUBLISHED", "dateUpdated": "2024-06-11T19:09:00.277Z", "dateReserved": "2024-05-27T15:59:57.033Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-10T19:49:54.382Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "176C4E20-B96D-4391-986F-3314663983AC", "versionEndExcluding": "7.14.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5249169E-5516-4705-A2C8-DE1BA56497D0", "versionEndExcluding": "8.6.1", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con el cliente (CRM) de c\u00f3digo abierto. Antes de las versiones 7.14.4 y 8.6.1, una vulnerabilidad en la verificaci\u00f3n de archivos cargados en los productos permit\u00eda la ejecuci\u00f3n remota de c\u00f3digo. Las versiones 7.14.4 y 8.6.1 contienen una soluci\u00f3n para este problema."}], "id": "CVE-2024-36415", "lastModified": "2024-11-21T09:22:07.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-10T20:15:14.503", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}