Deserialization of Untrusted Data

Affecting jakubpas/suitecrm package, versions >=0.0.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

jakubpas/suitecrm is a composer fork of SuiteCRM - the open source alternative to SalesForce, Microsoft Dynamics and SugarCRM Professiona

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Phar Deserialization is possible due to insufficient checks within the admin area.

Note: jakubpas/suitecrm is an out of date fork of SuiteCRM and successful exploitation of the vulnerability through chaining differs from the out of date fork.

Remediation

There is no fixed version for jakubpas/suitecrm.

References

CVSS Score

6.7
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L/E:P/RL:U/RC:C
Credit
Snyk Security Team
CWE
CWE-502
Snyk ID
SNYK-PHP-JAKUBPASSUITECRM-1277522
Disclosed
28 Apr, 2021
Published
29 Apr, 2021