Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for SuiteCRM-Core by salesagility

    CVE-2024-36419 (GCVE-0-2024-36419)

    Vulnerability from nvd – Published: 2024-06-10 21:15 – Updated: 2024-08-02 03:37
    VLAI
    Title
    SuiteCRM-Core Host Header Injection in /legacy
    Summary
    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    salesagility SuiteCRM-Core Affected: < 8.6.1
    Create a notification for this product.
    salesagility suitecrm Affected: 0 , < 8.6.1 (custom)
        cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "suitecrm",
                "vendor": "salesagility",
                "versions": [
                  {
                    "lessThan": "8.6.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36419",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-11T17:47:58.999931Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-11T17:51:07.265Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.044Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "salesagility",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-10T21:15:37.840Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc"
            }
          ],
          "source": {
            "advisory": "GHSA-3323-hjq3-c6vc",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM-Core Host Header Injection in /legacy "
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-36419",
        "datePublished": "2024-06-10T21:15:37.840Z",
        "dateReserved": "2024-05-27T15:59:57.033Z",
        "dateUpdated": "2024-08-02T03:37:05.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-47643 (GCVE-0-2023-47643)

    Vulnerability from nvd – Published: 2023-11-21 19:32 – Updated: 2024-11-27 16:08
    VLAI
    Title
    SuiteCRM has Unauthenticated Graphql Introspection Enabled
    Summary
    SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:16:42.273Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr"
              },
              {
                "name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33"
              },
              {
                "name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47643",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-27T16:08:10.665089Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-27T16:08:28.226Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "salesagility",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-21T19:32:21.571Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr"
            },
            {
              "name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33"
            },
            {
              "name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/"
            }
          ],
          "source": {
            "advisory": "GHSA-fxww-jqfv-9rrr",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM has Unauthenticated Graphql Introspection Enabled"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-47643",
        "datePublished": "2023-11-21T19:32:21.571Z",
        "dateReserved": "2023-11-07T16:57:49.246Z",
        "dateUpdated": "2024-11-27T16:08:28.226Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-36419 (GCVE-0-2024-36419)

    Vulnerability from cvelistv5 – Published: 2024-06-10 21:15 – Updated: 2024-08-02 03:37
    VLAI
    Title
    SuiteCRM-Core Host Header Injection in /legacy
    Summary
    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    salesagility SuiteCRM-Core Affected: < 8.6.1
    Create a notification for this product.
    salesagility suitecrm Affected: 0 , < 8.6.1 (custom)
        cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "suitecrm",
                "vendor": "salesagility",
                "versions": [
                  {
                    "lessThan": "8.6.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-36419",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-11T17:47:58.999931Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-11T17:51:07.265Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:37:05.044Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "salesagility",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.6.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-10T21:15:37.840Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc"
            }
          ],
          "source": {
            "advisory": "GHSA-3323-hjq3-c6vc",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM-Core Host Header Injection in /legacy "
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-36419",
        "datePublished": "2024-06-10T21:15:37.840Z",
        "dateReserved": "2024-05-27T15:59:57.033Z",
        "dateUpdated": "2024-08-02T03:37:05.044Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-47643 (GCVE-0-2023-47643)

    Vulnerability from cvelistv5 – Published: 2023-11-21 19:32 – Updated: 2024-11-27 16:08
    VLAI
    Title
    SuiteCRM has Unauthenticated Graphql Introspection Enabled
    Summary
    SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:16:42.273Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr"
              },
              {
                "name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33"
              },
              {
                "name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47643",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-27T16:08:10.665089Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-27T16:08:28.226Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "salesagility",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.4.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-21T19:32:21.571Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr"
            },
            {
              "name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33"
            },
            {
              "name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/"
            }
          ],
          "source": {
            "advisory": "GHSA-fxww-jqfv-9rrr",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM has Unauthenticated Graphql Introspection Enabled"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-47643",
        "datePublished": "2023-11-21T19:32:21.571Z",
        "dateReserved": "2023-11-07T16:57:49.246Z",
        "dateUpdated": "2024-11-27T16:08:28.226Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }