CVE-2024-49773 MEDIUM

CVE-2024-49773: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM

Vendor Salesagility
Product SuiteCRM
Weakness CWE-89 · SQLi
Published November 5, 2024
Last update November 5, 2024
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearchWhere(). Allows for Information disclosure, including personally identifiable information. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

November 5, 2024 CVE published
November 5, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41143 YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave() CVE-2023-2050 Campcodes Advanced Online Voting System positions_add.php sql injection CVE-2024-2524 MAGESH-K21 Online-College-Event-Hall-Reservation-System receipt.php sql injection CVE-2025-1323 WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Unauthenticated SQL Injection CVE-2025-0699 JoeyBling bootplus list sql injection