FKIE_CVE-2026-33288

Vulnerability from fkie_nvd - Published: 2026-03-20 00:16 - Updated: 2026-03-23 16:56
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
References
security-advisories@github.comhttps://docs.suitecrm.com/admin/releases/7.15.xRelease Notes
security-advisories@github.comhttps://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7Vendor Advisory
Impacted products
Vendor Product Version
suitecrm suitecrm *
suitecrm suitecrm *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99",
              "versionEndExcluding": "7.15.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF",
              "versionEndExcluding": "8.9.3",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."
    },
    {
      "lang": "es",
      "value": "SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con clientes (CRM) de c\u00f3digo abierto y lista para empresas. Prior a las versiones 7.15.1 y 8.9.3, existe una vulnerabilidad de inyecci\u00f3n SQL en los mecanismos de autenticaci\u00f3n de SuiteCRM cuando el soporte de directorio est\u00e1 habilitado. La aplicaci\u00f3n no logra sanear correctamente el nombre de usuario proporcionado por el usuario antes de usarlo en una consulta de base de datos local. Un atacante con credenciales de directorio v\u00e1lidas y de bajo privilegio puede explotar esto para ejecutar comandos SQL arbitrarios, lo que lleva a una escalada de privilegios completa (por ejemplo, iniciar sesi\u00f3n como el Administrador de CRM). Las versiones 7.15.1 y 8.9.3 parchean el problema."
    }
  ],
  "id": "CVE-2026-33288",
  "lastModified": "2026-03-23T16:56:51.460",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T00:16:18.470",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.suitecrm.com/admin/releases/7.15.x"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.