SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearchWhere(). Allows for Information disclosure, including personally identifiable information. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Wed, 13 Nov 2024 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Salesagility
Salesagility suitecrm
CPEs cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*
Vendors & Products Salesagility
Salesagility suitecrm

Tue, 05 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 05 Nov 2024 18:45:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearchWhere(). Allows for Information disclosure, including personally identifiable information. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-05T18:35:11.102Z

Updated: 2024-11-05T18:59:49.367Z

Reserved: 2024-10-18T13:43:23.459Z

Link: CVE-2024-49773

cve-icon Vulnrichment

Updated: 2024-11-05T18:59:45.700Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-05T19:15:06.200

Modified: 2024-11-13T20:29:11.297

Link: CVE-2024-49773

cve-icon Redhat

No data.