Cyber Resilience

CVE-2023-5350

CriticalPublic PoC

Published: 03 October 2023

Published
03 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.1528 94.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5350 is a critical-severity SQL Injection (CWE-89) vulnerability in Salesagility Suitecrm. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-5350 is a SQL injection vulnerability, tracked as CWE-89, that affects the SuiteCRM application in the salesagility/suitecrm repository prior to version 7.14.1. The flaw received a CVSS 3.1 score of 9.1, reflecting network attack vector, low attack complexity, and no requirements for authentication or user interaction, with impacts limited to high confidentiality and integrity loss.

An unauthenticated remote attacker can supply crafted input that is passed directly into SQL queries, allowing arbitrary data extraction or modification within the application's database. Successful exploitation can therefore expose or alter sensitive CRM records without any prior credentials or user assistance.

The referenced commit c43eaa311fb010b7928983e6afc6f9075c3996aa and the associated huntr.dev report document the fix that was merged to address the injection; administrators should upgrade to SuiteCRM 7.14.1 or later to eliminate the vulnerable code paths. The EPSS score has remained flat at its peak value of 0.1528 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.004 Customer Relationship Management Software Collection
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
Why these techniques?

SQL Injection in SuiteCRM (CRM software) enables exploitation of public-facing web applications (T1190) and collection of data from customer relationship management software repositories (T1213.004).

Affected Assets

salesagility
suitecrm
≤ 7.14.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References