Suite CRM v7.14.2 - SSRF
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Suite CRM v7.14.2 - SSRF
Code name
State
Public
Release date
6 feb 2024
Affected product
Suite CRM
Affected version(s)
Version 7.14.2
Vulnerability name
Server-site request forgery
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
CVSS v3.1 base score
5.0
Exploit available
Yes
CVE ID(s)
Description
Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is vulnerable to SSRF.
Vulnerability
A server request forgery (SSRF) vulnerability has been identified in Suite CRM that, under certain conditions, could allow a user to make arbitrary HTTP requests through the vulnerable server.
The vulnerability exists because a user-entered URL is passed to the getimagesize function.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-6388 to refer to this issue from now on.
System Information
Version: Suite CRM v7.14.2
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/salesagility/SuiteCRM/
Timeline
5 dic 2023
Vulnerability discovered
5 dic 2023
Vendor contacted
7 dic 2023
Vendor replied
7 dic 2023
Vendor confirmed
6 dic 2023
Vulnerability patched
6 feb 2024
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
