Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass
Vulnerability Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
SuiteCRM 安全特征问题漏洞
Vulnerability Description
SuiteCRM是SuiteCRM团队的一个客户关系管理系统。 SuiteCRM 7.15.0版本和8.9.2版本存在安全特征问题漏洞,该漏洞源于ModuleScanner.php中PHP令牌解析存在缺陷,可能导致经过身份验证的管理员执行任意系统命令。
CVSS Information
N/A
Vulnerability Type
N/A