Server-Side Request Forgery (SSRF) in SuiteCRM - CVE-2024-36414

 

Server-Side Request Forgery (SSRF) in SuiteCRM - CVE-2024-36414

Published: June 10, 2024 / Updated: April 24, 2026


Vulnerability identifier: #VU127386
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-36414
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SalesAgility
Affected software:
SuiteCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in connectors file verification when processing user-supplied URLs. A remote user can send a crafted request to disclose sensitive information.

The issue can be exploited to make the application send HTTP requests to arbitrary domains and access internal services reachable by the server.


How to mitigate CVE-2024-36414

Install security update from vendor's website.

Sources