CVE-2024-36412
Published: 10 June 2024
Summary
CVE-2024-36412 is a critical-severity SQL Injection (CWE-89) vulnerability in Salesagility Suitecrm. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SuiteCRM is an open-source customer relationship management application that is affected by a SQL injection vulnerability in its events response entry point. The flaw, tracked as CWE-89, impacts all versions prior to 7.14.4 and 8.6.1 and carries a CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, no required privileges or user interaction, and full scope impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted input to the affected entry point and execute arbitrary SQL commands against the underlying database, enabling complete compromise of the application data and potentially the host environment.
The vendor advisories published on GitHub state that the issue is resolved in SuiteCRM 7.14.4 and 8.6.1; administrators are advised to apply these updates immediately to eliminate the injection vector.
The associated EPSS score has reached 0.9364 without an observable climb from a lower baseline, indicating sustained high exploitation likelihood since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36069
Vulnerability details
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.