Cyber Resilience

CVE-2024-36418

High

Published: 10 June 2024

Published
10 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0621 91.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36418 is a high-severity Path Traversal (CWE-22) vulnerability in Salesagility Suitecrm. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

SuiteCRM is an open-source Customer Relationship Management application that contains a path traversal vulnerability (CWE-22) in its connectors component. The flaw affects all versions prior to 7.14.4 and 8.6.1 and carries a CVSS 3.1 score of 8.5, reflecting network attack vector, high complexity, low privileges, no user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

An authenticated user can exploit the issue to perform remote code execution on the server. The attack requires the attacker to already possess valid credentials but does not need any further user interaction once authenticated.

The official GitHub Security Advisories GHSA-mfj5-37v4-vh5w state that upgrading to SuiteCRM 7.14.4 or 8.6.1 resolves the vulnerability. The associated EPSS score has remained flat at 0.0621 with no material increase since disclosure.

EU & UK References

Vulnerability details

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this…

more

issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated path traversal vulnerability (CWE-22) in SuiteCRM connectors enables low-privilege users to achieve remote code execution on a network-accessible web application, facilitating exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).

Affected Assets

salesagility
suitecrm
≤ 7.14.4 · 8.0.0 — 8.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References