CVE-2021-25961

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 7.1.7 through 7.10.31 SuiteCRM versions 7.11-beta through 7.11.20

Description The issue arises from the failure to properly invalidate password reset links associated with a deleted user id, making it possible for account takeover of any newly created user with the same user id.

Recommendations For versions 7.1.7 through 7.10.31, consider temporarily restricting the use of password reset links until a patch is available. For versions 7.11-beta through 7.11.20, consider temporarily restricting the use of password reset links until a patch is available. As a temporary workaround, consider disabling the password reset functionality for deleted user ids to minimize the risk of exploitation.