Cyber Resilience

CVE-2024-36419

Medium

Published: 10 June 2024

Published
10 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0027 50.7th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36419 is a medium-severity Open Redirect (CWE-601) vulnerability in Salesagility Suitecrm. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Internal Spearphishing (T1534); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1534 Internal Spearphishing Lateral Movement
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Host header injection enables open redirects (CWE-601), allowing low-privileged attackers to craft phishing links mimicking the legitimate SuiteCRM domain for spearphishing link attacks or internal spearphishing from a compromised account.

Affected Assets

salesagility
suitecrm
≤ 8.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References