{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64489", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-05T19:12:25.102Z", "datePublished": "2025-11-08T00:15:44.728Z", "dateUpdated": "2025-11-13T21:36:24.585Z"}, "containers": {"cna": {"title": "SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph"}, {"name": "https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131", "tags": ["x_refsource_MISC"], "url": "https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131"}, {"name": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d", "tags": ["x_refsource_MISC"], "url": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.14.8", "status": "affected"}, {"version": ">= 8.0.0-beta.1, < 8.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-08T00:15:44.728Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1."}], "source": {"advisory": "GHSA-j6jg-9jj3-q2ph", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T21:36:18.581353Z", "id": "CVE-2025-64489", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T21:36:24.585Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64489", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-13T21:36:18.581353Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T21:36:21.988Z"}}], "cna": {"title": "SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass", "source": {"advisory": "GHSA-j6jg-9jj3-q2ph", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.14.8"}, {"status": "affected", "version": ">= 8.0.0-beta.1, < 8.9.1"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph", "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131", "name": "https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d", "name": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-08T00:15:44.728Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64489", "state": "PUBLISHED", "dateUpdated": "2025-11-13T21:36:24.585Z", "dateReserved": "2025-11-05T19:12:25.102Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-08T00:15:44.728Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "37968BEF-2577-4B8F-AE06-8C9DCEB9C84B", "versionEndExcluding": "7.14.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DFDEB5D-4821-41F8-AEBB-38D394739DDE", "versionEndExcluding": "8.9.1", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y lista para empresas. Las versiones 7.14.7 y anteriores, 8.0.0-beta.1 hasta la 8.9.0, contienen una vulnerabilidad de escalada de privilegios donde las sesiones de usuario no se invalidan tras la desactivaci\u00f3n de la cuenta. Un usuario inactivo con una sesi\u00f3n activa puede seguir accediendo a la aplicaci\u00f3n y, cr\u00edticamente, puede reactivar su propia cuenta. Esto socava los controles administrativos y permite la persistencia no autorizada. Este problema se ha solucionado en las versiones 7.14.8 y 8.9.1."}], "id": "CVE-2025-64489", "lastModified": "2025-11-25T17:31:42.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-11-08T01:15:38.607", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-11-10T09:33:36.602489+00:00", "updated": "2025-11-10T09:33:36.602515+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}