Server-Side Request Forgery (SSRF) in SuiteCRM - CVE-2024-36414
Published: June 10, 2024 / Updated: April 24, 2026
Vulnerability identifier: #VU127386
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-36414
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SuiteCRM
SuiteCRM
Software vendor:
SalesAgility
SalesAgility
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in connectors file verification when processing user-supplied URLs. A remote user can send a crafted request to disclose sensitive information.
The issue can be exploited to make the application send HTTP requests to arbitrary domains and access internal services reachable by the server.
Remediation
Install security update from vendor's website.