PT-2024-26973 · Php+1 · Php+1

Elsicarius

Published

2024-03-08

Updated

2024-06-12

CVE-2024-36407

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.14.4 SuiteCRM versions prior to 8.6.1

Description The issue allows an unauthenticated attacker to reset a user's password, although the attacker does not gain access to the new password. This can cause annoyance for the user. The attack requires certain password reset functionalities to be enabled and the system to be using PHP 7, which is not an officially supported version.

Recommendations For versions prior to 7.14.4, update to version 7.14.4 or later to resolve the issue. For versions prior to 8.6.1, update to version 8.6.1 or later to resolve the issue. As a temporary workaround, consider disabling password reset functionalities until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

BIT-SUITECRM-2024-36407

CVE-2024-36407

GHSA-6P2F-WWX9-952R

Affected Products

Php

Suitecrm

PT-2024-26973 · Php+1 · Php+1

CVE-2024-36407

Weakness Enumeration

Related Identifiers

Affected Products

References · 9