CVE-2023-5350
Published: 03 October 2023
Summary
CVE-2023-5350 is a critical-severity SQL Injection (CWE-89) vulnerability in Salesagility Suitecrm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-5350 is a SQL injection vulnerability, tracked as CWE-89, that affects the SuiteCRM application in the salesagility/suitecrm repository prior to version 7.14.1. The flaw received a CVSS 3.1 score of 9.1, reflecting network attack vector, low attack complexity, and no requirements for authentication or user interaction, with impacts limited to high confidentiality and integrity loss.
An unauthenticated remote attacker can supply crafted input that is passed directly into SQL queries, allowing arbitrary data extraction or modification within the application's database. Successful exploitation can therefore expose or alter sensitive CRM records without any prior credentials or user assistance.
The referenced commit c43eaa311fb010b7928983e6afc6f9075c3996aa and the associated huntr.dev report document the fix that was merged to address the injection; administrators should upgrade to SuiteCRM 7.14.1 or later to eliminate the vulnerable code paths. The EPSS score has remained flat at its peak value of 0.1528 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-57666
Vulnerability details
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL Injection in SuiteCRM (CRM software) enables exploitation of public-facing web applications (T1190) and collection of data from customer relationship management software repositories (T1213.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.