CVE-2022-45186

HighPublic PoC

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0013 31.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45186 is a high-severity an unspecified weakness vulnerability in Salesagility Suitecrm. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent authenticated users from recovering arbitrary database fields beyond their privileges.

AC-6 Least Privilege good match

prevent

Restricts user access to only necessary database fields according to least privilege, directly mitigating unauthorized data recovery.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like CVE-2022-45186 through patching to eliminate the arbitrary field recovery vulnerability.

NVD Description

An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.

Deeper analysisAI

CVE-2022-45186 is a vulnerability discovered in SuiteCRM version 7.12.7 that allows authenticated users to recover an arbitrary field from the database. This flaw affects the open-source customer relationship management software SuiteCRM, specifically the 7.12.7 release, enabling unauthorized access to sensitive database content beyond the user's privileges.

The vulnerability can be exploited over the network with low complexity by users with low privileges, such as any authenticated account, requiring no user interaction. Successful exploitation grants high-impact confidentiality by allowing recovery of arbitrary database fields and high-impact integrity by potentially enabling unauthorized modifications, with no impact on availability, as reflected in its CVSS v3.1 base score of 8.1.

Mitigation details are available in the SuiteCRM 7.12.x release documentation, which covers patches and updates for affected versions. Additional resources include the Orange Cyberdefense CVE repository and a corresponding proof-of-concept script demonstrating the issue.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

salesagility

suitecrm

7.12.7

CVEs Like This One

CVE-2022-50589Same product: Salesagility Suitecrm

CVE-2019-25663Same product: Salesagility Suitecrm

CVE-2022-45185Same product: Salesagility Suitecrm

CVE-2025-54788Same product: Salesagility Suitecrm

CVE-2019-25664Same product: Salesagility Suitecrm

CVE-2025-54785Same product: Salesagility Suitecrm

References

https://docs.suitecrm.com/admin/releases/7.12.x/
Release Notes · cve@mitre.org
https://github.com/Orange-Cyberdefense/CVE-repository/
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/poc_SuiteCRM.py
Exploit · cve@mitre.org