Cyber Resilience

CVE-2024-36412

Critical

Published: 10 June 2024

Published
10 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9364 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36412 is a critical-severity SQL Injection (CWE-89) vulnerability in Salesagility Suitecrm. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

SuiteCRM is an open-source customer relationship management application that is affected by a SQL injection vulnerability in its events response entry point. The flaw, tracked as CWE-89, impacts all versions prior to 7.14.4 and 8.6.1 and carries a CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, no required privileges or user interaction, and full scope impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input to the affected entry point and execute arbitrary SQL commands against the underlying database, enabling complete compromise of the application data and potentially the host environment.

The vendor advisories published on GitHub state that the issue is resolved in SuiteCRM 7.14.4 and 8.6.1; administrators are advised to apply these updates immediately to eliminate the injection vector.

The associated EPSS score has reached 0.9364 without an observable climb from a lower baseline, indicating sustained high exploitation likelihood since disclosure.

EU & UK References

Vulnerability details

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

salesagility
suitecrm
≤ 7.14.4 · 8.0.0 — 8.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References