CVE-2024-36407

low-risk
Published 2024-06-10

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

Do I need to act?

-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Salesagility

References (2)

Vendor Advisory https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r
Vendor Advisory https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r
19
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal