CVE-2024-50333

Improper Input Validation (CWE-20)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

SuiteCRM, an open-source Customer Relationship Management (CRM) software, has a vulnerability where user input is not properly validated and can be written to the filesystem. Specifically, the ParserLabel::addLabels() function can be exploited to write attacker-controlled data into the custom language file, which is then included at runtime.

Impact

This vulnerability allows an attacker with low privileges to potentially execute arbitrary code or commands on the affected system. The attacker can manipulate the custom language file, which is included at runtime, potentially leading to remote code execution. This could result in unauthorized access to sensitive data, system compromise, or disruption of services. The vulnerability has a high impact on the confidentiality, integrity, and availability of the affected system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. The vulnerability has been addressed in SuiteCRM versions 7.14.6 and 8.7.1. Users are advised to upgrade to these or later versions to mitigate the risk.

Mitigation

1. Upgrade SuiteCRM to version 7.14.6 or 8.7.1, depending on your current major version. 2. If immediate upgrade is not possible, implement strict input validation and sanitization for all user inputs, especially those that interact with the filesystem or language files. 3. Apply the principle of least privilege, limiting user access rights to the minimum necessary for their roles. 4. Monitor system logs for any suspicious activities related to file system writes or language file modifications. 5. Implement network segmentation to limit the potential impact if the vulnerability is exploited. 6. Regularly audit and review custom language files for any unauthorized modifications.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-50333

Nov 5, 2024 at 7:15 PM
CVSS

A CVSS base score of 6.6 has been assigned.

Nov 5, 2024 at 7:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-50333. See article

Nov 5, 2024 at 7:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 5, 2024 at 7:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 10:26 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 13, 2024 at 8:15 PM / nvd
Static CVE Timeline Graph

Affected Systems

Salesagility/suitecrm
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

CVE Alert: CVE-2024-50333 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-50333/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_50333
NA - CVE-2024-50333 - SuiteCRM is an open-source, enterprise-ready...
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels()...
CVE-2024-50333
Medium Severity Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Read more at https://www.tenable.com/cve/CVE-2024-50333
CVE-2024-50333 RCE in ModuleBuilder in SuiteCRM
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this...
SuiteCRM Open-Source CRM Software Vulnerable to File Inclusion Attack
Salesagility - MEDIUM - CVE-2024-50333 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI