CVE-2023-47643
moderate-risk
Published 2023-11-21
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
Do I need to act?
!
49.6% chance of exploitation in next 30 days
EPSS score — higher than 50% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (6)
Technical Description
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graph...
Technical Description
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graph...
34
/ 100
moderate-risk
Severity
11/34 · Low
Exploitability
18/34 · Moderate
Exposure
5/34 · Minimal