Dzentota

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions 7.14.6 and 8.8.0 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated or sanitized before being passed to the `unserialize()` function. This could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining, and ransomware. **Recommendations** Update to SuiteCRM version 7.14.7. Update to SuiteCRM version 8.8.1.

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.6 SuiteCRM versions prior to 8.7.1 Description: The issue is related to poor input validation in the export functionality, allowing an authenticated user to perform a SQL injection attack. The `current post` parameter in the `export` entry point can be exploited to perform blind SQL injection via the `generateSearchWhere()` function, potentially leading to information disclosure, including personally identifiable information. Recommendations: For versions prior to 7.14.6, upgrade to version 7.14.6 or later. For versions prior to 8.7.1, upgrade to version 8.7.1 or later. As a temporary workaround, consider restricting access to the `export` entry point to minimize the risk of exploitation. Avoid using the `current post` parameter in the affected `export` entry point until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.6 SuiteCRM versions prior to 8.7.1 Description: The issue arises from the way SuiteCRM checks PHP scripts against a blacklist of functions and methods to prevent the installation of malicious MLPs. However, this check can be bypassed using certain syntax constructions. SuiteCRM uses the `token get all` function to parse PHP scripts and checks the resulting Abstract Syntax Tree (AST) against blacklists, but it does not account for all possible scenarios. Recommendations: For versions prior to 7.14.6, upgrade to version 7.14.6 or later. For versions prior to 8.7.1, upgrade to version 8.7.1 or later.

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.6 SuiteCRM versions prior to 8.7.1 Description: The issue arises from the lack of validation of user input, which is then written to the filesystem. The `ParserLabel::addLabels()` function can be exploited to write attacker-controlled data into custom language files that are included at runtime. Recommendations: For versions prior to 7.14.6, upgrade to version 7.14.6 or later. For versions prior to 8.7.1, upgrade to version 8.7.1 or later. As a temporary workaround, consider restricting access to the `ParserLabel::addLabels()` function until a patch is available.