CVE-2024-49774

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-49774

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49774.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-49774

Aliases

BIT-suitecrm-2024-49774
GHSA-9v56-vhp4-x227

Published

2024-11-05T18:37:05.422Z

Modified

2026-04-10T05:18:03.734844Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

ModuleScanner flaws in SuiteCRM

Details

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses tokengetall to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49774.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/salesagility/suitecrm

Affected ranges

Type: GIT
Repo: https://github.com/salesagility/suitecrm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e572230abd0dad205b24a96acce72590b20bf69d

Affected versions

7.*

7.9.6

v.*

v.7.9.11

v7.*

v7.0.2

v7.1

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.10.0

v7.10.1

v7.10.10

v7.10.11

v7.10.12

v7.10.2

v7.10.3

v7.10.4

v7.10.5

v7.10.6

v7.10.7

v7.11.0

v7.11.1

v7.11.11

v7.11.12

v7.11.13

v7.11.14

v7.11.15

v7.11.16

v7.11.17

v7.11.18

v7.11.2

v7.11.3

v7.11.4

v7.11.5

v7.11.6

v7.11.7

v7.11.8

v7.12-rc

v7.12.0

v7.12.1

v7.12.2

v7.12.3

v7.12.4

v7.12.5

v7.12.6

v7.12.7

v7.12.8

v7.13.0

v7.13.0-beta

v7.13.1

v7.13.2

v7.13.3

v7.13.4

v7.14.0

v7.14.0-beta

v7.14.1

v7.14.2

v7.14.3

v7.14.4

v7.14.5

v7.2

v7.2.1

v7.2beta

v7.2beta2

v7.3

v7.3-beta

v7.3.1

v7.3.2

v7.4.1

v7.4.2

v7.4.3

v7.5-beta

v7.5-beta.2

v7.5.1

v7.6

v7.6.1

v7.7

v7.7-beta1

v7.7-beta2

v7.7-rc

v7.7-rc2

v7.7.2

v7.7.3

v7.7.4

v7.8.0

v7.8.0-beta

v7.8.0-beta.2

v7.8.0-rc

v7.8.1

v7.8.2

v7.9.0

v7.9.0-beta

v7.9.0-rc

v7.9.1

v7.9.10

v7.9.11

v7.9.12

v7.9.13

v7.9.14

v7.9.3

v7.9.4

v7.9.5

v7.9.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49774.json"

Git / github.com/salesagility/suitecrm-core

Affected ranges

Type

GIT

Repo

https://github.com/salesagility/suitecrm-core

Events

Introduced

55c1ee9cbdf409ed41c04da0bbf442b311a3ab57

Fixed

582636a2a77f2fe0241a69bd59f0daf11b139594

Database specific

{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.7.1"
        }
    ]
}

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.1.0

v8.1.1

v8.1.2

v8.1.3

v8.2.0

v8.2.0-beta.2

v8.2.1

v8.2.2

v8.2.3

v8.2.4

v8.3.0

v8.3.1

v8.4.0

v8.4.0-beta

v8.4.1

v8.4.2

v8.5.0

v8.5.1

v8.6.0

v8.6.1

v8.6.2

v8.7.0

v8.7.0-beta

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49774.json"