Primary

Context

SuiteCRM SQL Injection Vulnerability in Outbound Email Module

Vulnerability

A SQL injection vulnerability has been identified in SuiteCRM versions 7.15.0 and prior, as well as 8.9.0 and prior. The issue arises in the 'retrieve()' function within 'include/OutboundEmail/OutboundEmail.php', where the user-controlled '$id' parameter is not properly sanitized. This vulnerability can be exploited by authenticated users through the 'EmailUIAjax' action in the 'Email()' module. The lack of restrictions on database table access allows attackers to retrieve arbitrary information, including user data and password hashes.

Impact

Exploitation of this vulnerability could lead to authenticated blind SQL injection, allowing attackers to manipulate database queries and potentially access sensitive information such as user details and password hashes.

Remediation

Users can upgrade to SuiteCRM version 7.15.1 or 8.9.3 to address this vulnerability.

Added: Mar 19, 2026, 11:29 PM

Updated: Mar 19, 2026, 11:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SuiteCRM SQL Injection Vulnerability in Outbound Email Module

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating