CVE-2022-23940

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.12.2 and 8.0.2

Description The issue allows remote code execution. Authenticated users with access to the Scheduled Reports module can exploit this by leveraging PHP deserialization in the email recipients property. They can create a malicious report containing a PHP-deserialization payload in the email recipients field. Once someone accesses this report, the backend will deserialize the content of the email recipients field and the payload gets executed. Project dependencies include PHP deserialization gadgets that can be used for code execution.

Recommendations For SuiteCRM versions prior to 7.12.2, update to version 7.12.2 or later to resolve the issue. For SuiteCRM version 8.0.1, update to version 8.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Scheduled Reports module until a patch is available. Avoid using the email recipients field in the Scheduled Reports module until the issue is resolved.