CVE-2025-64490

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64490

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64490.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64490

Aliases

GHSA-jh8v-wqgj-hhc2

Published

2025-11-08T00:22:38.183Z

Modified

2025-12-08T23:54:40.044997Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass

Details

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64490.json"
}

References

Affected packages

Git / github.com/salesagility/suitecrm

Affected ranges

Type: GIT
Repo: https://github.com/salesagility/suitecrm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

40da2845a170832a4e9e9fa0ebe731f8c34de42d

Affected versions

7.*

7.2.2

7.9.15

7.9.6

v.*

v.7.9.11

v7.*

v7.0.1

v7.0.2

v7.1

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.10-RC

v7.10-RC-2

v7.10-beta

v7.10-beta-2

v7.10-beta-3

v7.10.0

v7.10.1

v7.10.10

v7.10.11

v7.10.12

v7.10.13

v7.10.14

v7.10.15

v7.10.16

v7.10.17

v7.10.18

v7.10.19

v7.10.2

v7.10.20

v7.10.21

v7.10.22

v7.10.23

v7.10.3

v7.10.4

v7.10.5

v7.10.6

v7.10.7

v7.10.8

v7.10.9

v7.11-beta

v7.11-rc

v7.11-rc-2

v7.11.0

v7.11.1

v7.11.10

v7.11.11

v7.11.12

v7.11.13

v7.11.14

v7.11.15

v7.11.16

v7.11.17

v7.11.18

v7.11.19

v7.11.2

v7.11.20

v7.11.21

v7.11.22

v7.11.3

v7.11.4

v7.11.5

v7.11.6

v7.11.7

v7.11.8

v7.11.9

v7.12-rc

v7.12.0

v7.12.1

v7.12.10

v7.12.11

v7.12.12

v7.12.2

v7.12.3

v7.12.4

v7.12.5

v7.12.6

v7.12.7

v7.12.8

v7.12.9

v7.13.0

v7.13.0-beta

v7.13.1

v7.13.2

v7.13.3

v7.13.4

v7.14.0

v7.14.0-beta

v7.14.1

v7.14.2

v7.14.3

v7.14.4

v7.14.5

v7.14.6

v7.14.7

v7.1RC

v7.1RC2

v7.1beta

v7.1beta2

v7.2

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2beta

v7.2beta2

v7.2beta3

v7.3

v7.3-beta

v7.3.1

v7.3.2

v7.3beta3

v7.4

v7.4-beta

v7.4-beta.2

v7.4.1

v7.4.2

v7.4.3

v7.5-beta

v7.5-beta.2

v7.5-rc

v7.5.1

v7.5.2

v7.5.3

v7.6

v7.6-beta-1

v7.6-beta.2

v7.6-rc

v7.6.1

v7.6.2

v7.6.3

v7.6.4

v7.6.5

v7.6.6

v7.7

v7.7-beta1

v7.7-beta2

v7.7-rc

v7.7-rc2

v7.7.1

v7.7.2

v7.7.3

v7.7.4

v7.7.5

v7.7.6

v7.7.7

v7.7.8

v7.7.9

v7.8.0

v7.8.0-beta

v7.8.0-beta.2

v7.8.0-rc

v7.8.1

v7.8.10

v7.8.11

v7.8.12

v7.8.13

v7.8.14

v7.8.15

v7.8.16

v7.8.17

v7.8.18

v7.8.19

v7.8.2

v7.8.20

v7.8.3

v7.8.4

v7.8.5

v7.8.6

v7.8.7

v7.8.8

v7.8.9

v7.9.0

v7.9.0-beta

v7.9.0-rc

v7.9.1

v7.9.10

v7.9.11

v7.9.12

v7.9.13

v7.9.14

v7.9.16

v7.9.17

v7.9.2

v7.9.3

v7.9.4

v7.9.5

v7.9.7

v7.9.8

v7.9.9

Git / github.com/salesagility/suitecrm-core

Affected ranges

Type: GIT
Repo: https://github.com/salesagility/suitecrm-core
Events: Introduced

55c1ee9cbdf409ed41c04da0bbf442b311a3ab57

Fixed

682dd9bc23bec55d05b8c5cae9f259e242d3b6cc

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.1.0

v8.1.1

v8.1.2

v8.1.3

v8.2.0

v8.2.0-beta.2

v8.2.1

v8.2.2

v8.2.3

v8.2.4

v8.3.0

v8.3.1

v8.4.0

v8.4.0-beta

v8.4.1

v8.4.2

v8.5.0

v8.5.1

v8.6.0

v8.6.1

v8.6.2

v8.7.0

v8.7.0-beta

v8.7.1

v8.8.0

v8.8.0-beta

v8.8.1

v8.9.0