CVE-2024-36408
📋 TL;DR
This CVE describes a SQL injection vulnerability in SuiteCRM's Alerts controller due to poor input validation. Attackers can execute arbitrary SQL commands, potentially compromising the CRM database. All SuiteCRM installations prior to versions 7.14.4 and 8.6.1 are affected.
💻 Affected Systems
- SuiteCRM
📦 What is this software?
Suitecrm by Salesagility
Suitecrm by Salesagility
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, modification, or deletion, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, privilege escalation, and data manipulation within the CRM system.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.
🎯 Exploit Status
SQL injection typically requires some level of access, but complexity is low once access is obtained. No public exploit code identified at advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.14.4 and 8.6.1
Vendor Advisory: https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg
Restart Required: No
Instructions:
1. Backup your SuiteCRM installation and database. 2. Update to SuiteCRM version 7.14.4 (for 7.x branch) or 8.6.1 (for 8.x branch). 3. Verify the update completed successfully. 4. Test Alerts functionality.
🔧 Temporary Workarounds
Disable Alerts Module
allTemporarily disable the vulnerable Alerts controller module to prevent exploitation.
Navigate to Admin > Module Loader in SuiteCRM and disable the Alerts module if possible
Web Application Firewall Rules
allImplement WAF rules to block SQL injection patterns targeting the Alerts endpoint.
Configure WAF to block requests containing SQL keywords like UNION, SELECT, INSERT targeting /index.php?module=Alerts
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all Alerts controller inputs.
- Restrict database user permissions to minimum required, removing DROP, CREATE, and EXECUTE privileges.
🔍 How to Verify
Check if Vulnerable:
Check SuiteCRM version in Admin > System Settings or via version.php file. If version is below 7.14.4 (for 7.x) or 8.6.1 (for 8.x), you are vulnerable.Check Version:
grep 'suitecrm_version' suitecrm/version.php or check Admin > System Settings in web interfaceVerify Fix Applied:
After updating, verify version shows 7.14.4 or higher (7.x) or 8.6.1 or higher (8.x). Test Alerts functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts followed by Alerts module access
- SQL keywords in Alerts controller requests
Network Indicators:
- Unusual database queries originating from web server
- SQL syntax in HTTP POST/GET parameters to Alerts endpoints
SIEM Query:
source="suitecrm.log" AND ("SQL syntax" OR "Alerts" AND ("UNION" OR "SELECT" OR "INSERT"))