SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Wed, 13 Nov 2024 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Tue, 05 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Salesagility
Salesagility suitecrm
CPEs cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*
Vendors & Products Salesagility
Salesagility suitecrm
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 05 Nov 2024 18:45:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title ModuleScanner flaws in SuiteCRM
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-05T18:37:05.422Z

Updated: 2024-11-05T18:59:06.730Z

Reserved: 2024-10-18T13:43:23.459Z

Link: CVE-2024-49774

cve-icon Vulnrichment

Updated: 2024-11-05T18:59:02.437Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-05T19:15:06.410

Modified: 2024-11-13T20:40:26.100

Link: CVE-2024-49774

cve-icon Redhat

No data.