PT-2024-33683 · Suitecrm · Suitecrm
Dzentota
·
Published
2024-11-05
·
Updated
2026-03-19
·
CVE-2024-49774
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
SuiteCRM versions prior to 7.14.6
SuiteCRM versions prior to 8.7.1
Description:
The issue arises from the way SuiteCRM checks PHP scripts against a blacklist of functions and methods to prevent the installation of malicious MLPs. However, this check can be bypassed using certain syntax constructions. SuiteCRM uses the
token get all function to parse PHP scripts and checks the resulting Abstract Syntax Tree (AST) against blacklists, but it does not account for all possible scenarios.Recommendations:
For versions prior to 7.14.6, upgrade to version 7.14.6 or later.
For versions prior to 8.7.1, upgrade to version 8.7.1 or later.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Suitecrm