CVE-2024-49774
CVSS 3.1 Score 7.2 of 10 (high)
Details
Summary
CVE-2024-49774 is a vulnerability affecting SuiteCRM, an open-source CRM software. The issue lies in SuiteCRM's reliance on a blacklist of functions/methods to prevent malicious Multi-Level Programs (MLPs) installation. However, these checks can be bypassed using certain syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted Abstract Syntax Tree (AST) against blacklists. Yet, it fails to account for all scenarios, leaving the system vulnerable. The vulnerability has been rectified in versions 7.14.6 and 8.7.1, and users are strongly urged to upgrade. Currently, there are no known workarounds to mitigate this risk.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- SuiteCRM
Affected Vendors
- SalesAgility Ltd.