SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution
CVE-2024-36415

8.8HIGH

Key Information:

Vendor
Salesagility
Status
Suitecrm
Vendor
CVE Published:
10 June 2024

What is CVE-2024-36415?

CVE-2024-36415 is a critical vulnerability found in SuiteCRM, an open-source Customer Relationship Management (CRM) application developed by Salesagility. This vulnerability arises from improper controls in the handling of uploaded files, effectively allowing authenticated users to execute arbitrary code on the server. Such a flaw can deeply undermine the security of an organization, enabling unauthorized access to sensitive data and the potential compromise of entire systems.

Technical Details

This vulnerability specifically involves the mishandling of filename controls for include statements in PHP, coupled with an unrestricted upload of files that contain potentially harmful content. Prior to the release of versions 7.14.4 and 8.6.1, SuiteCRM was vulnerable to these exploit techniques, which could facilitate remote code execution. The issue has since been rectified in the mentioned versions, making it crucial for organizations to update their installations to mitigate this risk.

Potential impact of CVE-2024-36415

  1. Remote Code Execution: The primary risk associated with this vulnerability is the potential for remote code execution, which can allow malicious actors to run arbitrary code on the server. This paves the way for further exploitation of the affected system.

  2. Data Breaches: Given the nature of CRM applications which often store sensitive customer information, the exploitation of this vulnerability could lead to significant data breaches. Such incidents can compromise customer trust and result in financial losses for organizations.

  3. System Compromise and Malware Deployment: Successful exploitation can enable attackers to gain control over the system, making it easier to deploy malware, establish backdoors, or facilitate lateral movement within an organization’s network, thereby broadening the scope of potential damage.

Affected Version(s)

SuiteCRM < 7.14.4 < 7.14.4

SuiteCRM >= 8.0.0, < 8.6.1 < 8.0.0, 8.6.1

References

https://github.com/salesagility/SuiteCRM/security/advisor...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-36415 : SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution | SecurityVulnerability.io