SuiteCRM Unsafe Deserialization Vulnerability in SavedSearch Component Allowing Authenticated Remote Code Execution
Vulnerability
A vulnerability allowing authenticated administrators to execute arbitrary system commands on the server has been identified in SuiteCRM versions through 8.9.2. This issue arises from unsafe deserialization in the SavedSearch filter processing component, where user-controlled data from the saved_search.contents database column is unserialized without proper restrictions on instantiable classes. The vulnerability has been patched in SuiteCRM version 8.9.3.
Impact
Exploitation of this vulnerability allows for authenticated remote code execution on the server.
Remediation
Users can upgrade to SuiteCRM version 8.9.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.