CVE-2024-36418
Published: 10 June 2024
Summary
CVE-2024-36418 is a high-severity Path Traversal (CWE-22) vulnerability in Salesagility Suitecrm. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SuiteCRM is an open-source Customer Relationship Management application that contains a path traversal vulnerability (CWE-22) in its connectors component. The flaw affects all versions prior to 7.14.4 and 8.6.1 and carries a CVSS 3.1 score of 8.5, reflecting network attack vector, high complexity, low privileges, no user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An authenticated user can exploit the issue to perform remote code execution on the server. The attack requires the attacker to already possess valid credentials but does not need any further user interaction once authenticated.
The official GitHub Security Advisories GHSA-mfj5-37v4-vh5w state that upgrading to SuiteCRM 7.14.4 or 8.6.1 resolves the vulnerability. The associated EPSS score has remained flat at 0.0621 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36075
Vulnerability details
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this…
more
issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated path traversal vulnerability (CWE-22) in SuiteCRM connectors enables low-privilege users to achieve remote code execution on a network-accessible web application, facilitating exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.