Main Vulnerability Database Vulnerabilities #VU60193

PHP file inclusion in SuiteCRM - CVE-2021-45898

Published: January 31, 2022

Vulnerability identifier: #VU60193

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-45898

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SuiteCRM

Software vendor:
SalesAgility

Description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install updates from vendor's website.

External links

https://docs.suitecrm.com/8.x/admin/releases/8.0/
https://docs.suitecrm.com/admin/releases/7.12.x/

PHP file inclusion in SuiteCRM - CVE-2021-45898

Description

Remediation

External links

Please verify you're human