Platform
php
Component
suitecrm
Fixed in
7.14.5
8.0.1
CVE-2024-36412 describes a SQL Injection vulnerability discovered in SuiteCRM, an open-source CRM application. This flaw resides within the events response entry point, allowing attackers to inject malicious SQL code. Successful exploitation could lead to unauthorized data access and modification. The vulnerability affects SuiteCRM versions 8.0.0 and later, up to, but not including, version 8.6.1. A patch is available in version 8.6.1.
The SQL Injection vulnerability in SuiteCRM allows an attacker to inject arbitrary SQL queries into the database. This can lead to a wide range of malicious activities, including unauthorized access to sensitive customer data, financial records, and internal system configurations. An attacker could potentially modify or delete data, leading to data integrity issues and operational disruptions. Depending on the database user's privileges, the attacker might even be able to gain control of the underlying database server. The impact is particularly severe given the sensitive nature of data typically stored within CRM systems.
This vulnerability was publicly disclosed on June 10, 2024. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. There are currently no known public proof-of-concept exploits, but the vulnerability is likely to be targeted by malicious actors. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
93.64% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-36412 is to immediately upgrade SuiteCRM to version 8.6.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and sanitization on the events response entry point. While not a complete solution, this can help reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide an additional layer of protection. Review and restrict database user permissions to minimize potential damage from successful exploitation.
Update SuiteCRM to version 7.14.4 or higher, or to version 8.6.1 or higher. This will correct the (SQL Injection) vulnerability. It is recommended to create a backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-36412 is a critical SQL Injection vulnerability affecting SuiteCRM versions 8.0.0 through 8.6.0, allowing attackers to potentially extract or modify data.
You are affected if you are running SuiteCRM versions 8.0.0 to 8.6.0. Upgrade to 8.6.1 to resolve the vulnerability.
Upgrade SuiteCRM to version 8.6.1 or later. As a temporary workaround, implement input validation and sanitization on the events response entry point.
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity suggests a high probability of exploitation.
Refer to the official SuiteCRM security advisory for detailed information and updates: [https://suitecrm.com/security/bulletin/cve-2024-36412/](https://suitecrm.com/security/bulletin/cve-2024-36412/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.