Login Sign Up

CVE-2024-36412

10.0 CRITICAL
SQL Injection

📋 TL;DR

This is a critical SQL injection vulnerability in SuiteCRM that allows attackers to execute arbitrary SQL commands through the events response entry point. All SuiteCRM instances running versions prior to 7.14.4 or 8.6.1 are affected. Attackers could potentially access, modify, or delete database contents.

💻 Affected Systems

Products:
  • SuiteCRM
Versions: All versions prior to 7.14.4 and 8.6.1
Operating Systems: All operating systems running SuiteCRM
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Suitecrm by Salesagility

View all CVEs affecting Suitecrm →

Suitecrm by Salesagility

View all CVEs affecting Suitecrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access and extraction of sensitive CRM data including customer information, business records, and potentially authentication credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, but still significant risk of data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity. The advisory indicates authentication is required, but once authenticated, exploitation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.14.4 or 8.6.1

Vendor Advisory: https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8

Restart Required: No

Instructions:

1. Backup your SuiteCRM instance and database. 2. Update to SuiteCRM version 7.14.4 (for 7.x branch) or 8.6.1 (for 8.x branch). 3. Verify the update completed successfully. 4. Test critical functionality.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for the events response endpoint to sanitize SQL-related characters.

Database Permission Reduction

all

Reduce database user permissions to minimum required for application functionality.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block SQL injection patterns
  • Restrict network access to SuiteCRM to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check SuiteCRM version in Admin panel or by examining the version.php file in the installation directory.

Check Version:

grep -r 'suitecrm_version' /path/to/suitecrm/version.php

Verify Fix Applied:

Verify version is 7.14.4 or higher (for 7.x) or 8.6.1 or higher (for 8.x) in Admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by SQL errors
  • Suspicious parameter values in web server logs

Network Indicators:

  • Unusual database connection patterns
  • SQL error messages in HTTP responses

SIEM Query:

source="web_server_logs" AND ("sql" OR "select" OR "union" OR "sleep(") AND status=200

📊 Metadata

CVE ID: CVE-2024-36412
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-89
Published: June 10, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36412, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)