← back
CVE-2025-54786

SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data

CVSS 5.3 MEDIUMEPSS 0.3%CWE-200CWE-284CWE-287
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
SuiteCRM · SuiteCRM-Core

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.suitecrm.com/8.x/admin/releases/8.8https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm