SuiteCRM Deserialization Vulnerability Leading to Authenticated Remote Code Execution
Vulnerability
A deserialization vulnerability allowing authenticated users to execute arbitrary code has been identified in SuiteCRM versions through 7.12.7. This issue arises from the ability to upload malicious files using CRM functions, which can then be exploited through deserialization to achieve code execution.
Impact
Exploitation of this vulnerability allows for authenticated remote code execution on the server where SuiteCRM is hosted.
Reproduction
To reproduce this vulnerability, an authenticated user must upload a malicious file that can be deserialized. This can be done by using certain CRM functions that allow file uploads. Once the file is uploaded, the deserialization process can be exploited to execute arbitrary code on the server.
Remediation
Users are advised to upgrade to SuiteCRM version 7.12.8 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.