CVE-2022-50590

SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality

CVSS 8.8 HIGHEPSS 0.3%CWE-843

SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Affected products

SuiteCRM · SuiteCRM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-deleteattachment-type-confusion-vulnerability/https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6 https://www.vulncheck.com/advisories/suitecrm-type-confusion-via-deleteattachment-functionality