Primary

Context

SuiteCRM Time-Based Blind SQL Injection Vulnerability

Vulnerability

A time-based blind SQL injection vulnerability has been identified in SuiteCRM versions through 8.9.0. This vulnerability allows authenticated attackers to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. Attackers could enumerate database, table, and column names, extract sensitive data such as user credentials and personal information, or escalate privileges in some database configurations.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to enumerate database, table, and column names, extract sensitive data from the database, such as hashed passwords and personal information, and in some cases, escalate privileges or achieve remote code execution.

Remediation

Users can upgrade to SuiteCRM version 8.9.1 to address this vulnerability.

Added: Nov 8, 2025, 2:21 AM

Updated: Nov 8, 2025, 2:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SuiteCRM Time-Based Blind SQL Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating