CVE-2024-49774

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Nov 5, 2024
Updated: Nov 13, 2024
CWE ID 20

Summary

CVE-2024-49774 is a vulnerability affecting SuiteCRM, an open-source CRM software. The issue lies in SuiteCRM's reliance on a blacklist of functions/methods to prevent malicious Multi-Level Programs (MLPs) installation. However, these checks can be bypassed using certain syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted Abstract Syntax Tree (AST) against blacklists. Yet, it fails to account for all scenarios, leaving the system vulnerable. The vulnerability has been rectified in versions 7.14.6 and 8.7.1, and users are strongly urged to upgrade. Currently, there are no known workarounds to mitigate this risk.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • SuiteCRM

Affected Vendors

  • SalesAgility Ltd.