CVE-2024-36409 CRITICAL

CVE-2024-36409: SuiteCRM authenticated SQL Injection in TreeData entrypoint

Vendor Salesagility
Product SuiteCRM
Weakness CWE-89 · SQLi
Published June 10, 2024
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

What the vulnerability does

01Description

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

Key dates

02Disclosure timeline

June 10, 2024 CVE published
August 2, 2024 Record updated