HIGHCVE-2024-36413CVSS 8.9

SuiteCRM authenticated Reflected Cross-Site Scripting

Q: What is CVE-2024-36413 — Cross-Site Scripting (XSS) in SuiteCRM?

It's a Cross-Site Scripting (XSS) vulnerability in SuiteCRM's import module, allowing attackers to inject malicious scripts.

Q: Am I affected by CVE-2024-36413 in SuiteCRM?

If you're using SuiteCRM versions ≤8.0.0 or <8.6.1, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2024-36413 in SuiteCRM?

Upgrade SuiteCRM to version 7.14.4 or 8.6.1 to resolve the XSS vulnerability.

Q: Is CVE-2024-36413 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting this specific CVE, but vigilance is advised.

Q: Where can I find the official SuiteCRM advisory for CVE-2024-36413?

Refer to the official SuiteCRM security advisory and the NVD entry for CVE-2024-36413 for detailed information.

翻訳中…

プラットフォーム

php

コンポーネント

suitecrm

修正版

7.14.5

8.0.1

AI Confidence: highNVDEPSS 0.5%レビュー済み: 2026年5月

NVDで見る

保存

あなたの言語に翻訳中…

CVE-2024-36413 is a Cross-Site Scripting (XSS) vulnerability affecting SuiteCRM, a popular open-source Customer Relationship Management (CRM) software. This flaw resides within the import module's error view, allowing attackers to inject malicious scripts into the application. Successful exploitation could lead to data theft, session hijacking, and other malicious activities. Versions 7.14.4 and 8.6.1 address this vulnerability.

影響と攻撃シナリオ翻訳中…

The XSS vulnerability in SuiteCRM's import module presents a significant risk to organizations using the CRM. An attacker could craft a malicious payload within an import file, triggering the vulnerability when a user attempts to import it. This could allow the attacker to execute arbitrary JavaScript code in the context of the user's browser. The impact ranges from simple defacement to more severe consequences like stealing session cookies, redirecting users to phishing sites, or even gaining access to sensitive customer data stored within SuiteCRM. Given the sensitive nature of CRM data (customer contact information, sales records, financial details), the potential for data breaches is substantial. Lateral movement within the network is possible if the compromised user has elevated privileges within SuiteCRM or the broader IT infrastructure.

悪用の状況翻訳中…

CVE-2024-36413 was published on June 10, 2024. The vulnerability's severity is rated as High (CVSS 8.9). Currently, there are no publicly available exploits or active campaigns targeting this specific vulnerability. It is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. However, given the ease of XSS exploitation and the sensitivity of CRM data, organizations should prioritize patching.

脅威インテリジェンス

エクスプロイト状況

概念実証不明

CISA KEVNO

インターネット露出高

EPSS

0.46% (64% パーセンタイル)

CISA SSVC

悪用状況none

自動化可能no

技術的影響partial

CVSS ベクトル

これらのメトリクスの意味は？

Attack Vector: ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity: 低 — 特別な条件不要。安定して悪用可能。
Privileges Required: 低 — 有効なユーザーアカウントがあれば十分。
User Interaction: 必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope: 変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality: 高 — 機密性の完全喪失。全データが読み取り可能。
Integrity: 高 — 任意のデータの書き込み・変更・削除が可能。
Availability: 低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントsuitecrm

ベンダーsalesagility

影響範囲修正版

< 7.14.4 – < 7.14.47.14.5

>= 8.0.0, < 8.6.1 – >= 8.0.0, < 8.6.18.0.1

弱点分類 (CWE)

CWE-79

タイムライン

予約済み2024-05-27
公開日2024-06-10
更新日2024-08-02
EPSS 更新日2026-04-02

緩和策と回避策翻訳中…

The primary mitigation for CVE-2024-36413 is to upgrade SuiteCRM to version 7.14.4 or 8.6.1, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing temporary workarounds. Input validation on the import module should be strengthened to sanitize user-supplied data. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads targeting the import functionality can provide an additional layer of defense. Monitor SuiteCRM logs for suspicious activity related to the import module, such as unusual error messages or attempts to import files with unexpected content. After upgrading, confirm the fix by attempting to import a test file containing a known XSS payload; the payload should not execute.

修正方法翻訳中…

Actualice SuiteCRM a la versión 7.14.4 o superior, o a la versión 8.6.1 o superior. Esto solucionará la vulnerabilidad de Cross-Site Scripting (XSS) reflejado en el módulo de importación. La actualización se puede realizar a través del panel de administración de SuiteCRM o descargando la última versión del sitio web oficial y siguiendo las instrucciones de actualización.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2024-36413 — Cross-Site Scripting (XSS) in SuiteCRM?

It's a Cross-Site Scripting (XSS) vulnerability in SuiteCRM's import module, allowing attackers to inject malicious scripts.

Am I affected by CVE-2024-36413 in SuiteCRM?

If you're using SuiteCRM versions ≤8.0.0 or <8.6.1, you are potentially affected by this vulnerability.

How do I fix CVE-2024-36413 in SuiteCRM?

Upgrade SuiteCRM to version 7.14.4 or 8.6.1 to resolve the XSS vulnerability.

Is CVE-2024-36413 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting this specific CVE, but vigilance is advised.

Where can I find the official SuiteCRM advisory for CVE-2024-36413?

Refer to the official SuiteCRM security advisory and the NVD entry for CVE-2024-36413 for detailed information.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン CVEを検索