CVE-2024-36415
SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution
8.8
HIGH
CVSS 3.1
EPSS 4.0%
Description
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
How to fix CVE-2024-36415
To remediate CVE-2024-36415, upgrade the affected package to a fixed version below.
- —upgrade to 7.14.4 or later
Is CVE-2024-36415 being exploited?
Low — EPSS is 4.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 7.14.4, >= 8.0.0, < 8.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |