SB20240610123 - Multiple vulnerabilities in SuiteCRM
Published: June 10, 2024 Updated: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-6388)
The vulnerability allows a remote user to perform server-side request forgery.
The vulnerability exists due to server-side request forgery in the Activity stream feed when handling user-supplied feed requests. A remote user can send a crafted request to perform server-side request forgery.
2) Path traversal (CVE-ID: CVE-2024-36418)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in connectors when handling authenticated connector input. A remote user can supply a crafted pathname to execute arbitrary code.
3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2024-36417)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of script-related html tags in a web page in input fields when rendering unverified iframe content. A remote user can inject a malicious iframe to disclose sensitive information.
User interaction is required for exploitation.
4) Logging of Excessive Data (CVE-ID: CVE-2024-36416)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to logging of excessive data in the deprecated v4 API example when handling requests to the service/example/ directory. A remote attacker can send requests that generate excessive log data to cause a denial of service.
The issue affects the deprecated v4 API example and does not require user interaction.
5) Open redirect (CVE-ID: CVE-2024-36406)
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to url redirection to an untrusted site in the redirect functionality when handling a user-supplied redirect URL. A remote attacker can send a crafted link to redirect users to an untrusted site.
User interaction is required to follow the crafted link.
6) Improper access control (CVE-ID: CVE-2024-36407)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in the password reset functionality when handling password reset requests. A remote attacker can trigger a password reset for a user account to cause a denial of service.
Only instances with password reset functionality enabled and running on php 7 are vulnerable.
7) SQL injection (CVE-ID: CVE-2024-36410)
The vulnerability allows a remote user to modify data or cause a denial of service.
The vulnerability exists due to SQL injection in EmailUIAjax messages count controller when handling requests. A remote user can send a specially crafted request to modify data or cause a denial of service.
8) SQL injection (CVE-ID: CVE-2024-36411)
The vulnerability allows a remote user to modify or delete data.
The vulnerability exists due to SQL injection in the EmailUIAjax displayView controller when handling requests. A remote user can send a specially crafted request to modify or delete data.
9) SQL injection (CVE-ID: CVE-2024-36408)
The vulnerability allows a remote user to modify data or cause a denial of service.
The vulnerability exists due to SQL injection in the Alerts controller when handling user-supplied input. A remote user can send a specially crafted request to modify data or cause a denial of service.
10) SQL injection (CVE-ID: CVE-2024-36409)
The vulnerability allows a remote user to modify or delete data.
The vulnerability exists due to SQL injection in the Tree data entry point when handling user-supplied input. A remote user can send a specially crafted request to modify or delete data.
11) SQL injection (CVE-ID: CVE-2024-36412)
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the events response entry point when handling requests. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
12) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2024-36413)
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to improper neutralization of alternate XSS syntax in the import module error view when handling user-generated content. A remote user can inject malicious script into content viewed by other users to execute arbitrary script in a victim's browser.
User interaction is required to view the crafted content.
13) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-36414)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in connectors file verification when processing user-supplied URLs. A remote user can send a crafted request to disclose sensitive information.
The issue can be exploited to make the application send HTTP requests to arbitrary domains and access internal services reachable by the server.
14) Arbitrary file upload (CVE-ID: CVE-2024-36415)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in uploaded file verification when handling file uploads. A remote privileged user can upload a dangerous file to execute arbitrary code.
Remediation
Install update from vendor's website.
References
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2674-4gq4-j4f4
- https://github.com/advisories/GHSA-2674-4gq4-j4f4
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j
- https://github.com/advisories/GHSA-3www-6rqc-rm7j
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-jrpp-22g3-2j77
- https://github.com/advisories/GHSA-jrpp-22g3-2j77
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-hcw8-p37h-8hrv
- https://github.com/advisories/GHSA-hcw8-p37h-8hrv
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r
- https://github.com/advisories/GHSA-6p2f-wwx9-952r
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-7jj8-m2wj-m6xq
- https://github.com/advisories/GHSA-7jj8-m2wj-m6xq
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9rvr-mcrf-p4p7
- https://github.com/advisories/GHSA-9rvr-mcrf-p4p7
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg
- https://github.com/advisories/GHSA-2g8f-gjrr-x5cg
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-pxq4-vw23-v73f
- https://github.com/advisories/GHSA-pxq4-vw23-v73f
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8
- https://github.com/advisories/GHSA-xjx2-38hv-5hh8
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-ph2c-hvvf-r273
- https://github.com/advisories/GHSA-ph2c-hvvf-r273
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh
- https://github.com/advisories/GHSA-c82f-58jv-jfrh