SB20241105111 - Multiple vulnerabilities in SuiteCRM
Published: November 5, 2024 Updated: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2024-50332)
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in DeleteRelationShip when handling user-supplied input. A remote user can send a specially crafted request to execute arbitrary SQL queries.
The SQL injection is blind.
2) Input validation error (CVE-ID: CVE-2024-49774)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in the ModuleScanner PHP script parsing logic when processing malicious module loader packages. A remote privileged user can use syntax constructions that bypass blacklist checks to execute arbitrary code.
3) Input validation error (CVE-ID: CVE-2024-50333)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in ParserLabel::addLabels() when writing user-supplied input to the filesystem. A remote privileged user can write attacker-controlled data into a custom language file to execute arbitrary code.
The crafted language file is included at runtime.
4) SQL injection (CVE-ID: CVE-2024-49773)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the export entry point when processing the current_post parameter through generateSearchWhere(). A remote user can send a specially crafted current_post parameter to disclose sensitive information.
The issue can be exploited as a blind SQL injection and may expose PII.
5) SQL injection (CVE-ID: CVE-2024-49772)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the AM_ProjectTemplates controller when handling user-supplied input. A remote user can send a specially crafted request to disclose sensitive information.
The issue can be exploited by a low-privileged authenticated user.
6) Cross-site scripting (CVE-ID: CVE-2024-50335)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to cross-site scripting in the "Publish Key" field on the Edit Profile page when handling user-supplied input. A remote privileged user can inject malicious script to disclose sensitive information.
The injected script executes in the context of an authenticated user's session and can steal CSRF tokens that may be used to create unauthorized administrator users.
Remediation
Install update from vendor's website.
References
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p
- https://github.com/advisories/GHSA-53xh-mjmq-j35p
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-5hr4-r43c-6qf7
- https://github.com/advisories/GHSA-5hr4-r43c-6qf7
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-4xj8-hr85-hm3m
- https://github.com/advisories/GHSA-4xj8-hr85-hm3m
- https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8rw6-g96j-3w7m
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-8rw6-g96j-3w7m