9.1
CVE-2024-36415
- EPSS 0.88%
- Veröffentlicht 10.06.2024 20:15:14
- Zuletzt bearbeitet 21.11.2024 09:22:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Salesagility ≫ Suite CRM Version < 7.14.4
Salesagility ≫ Suite CRM Version >= 8.0.0 < 8.6.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.88% | 0.544 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 9.1 | 2.3 | 6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh