CVE-2022-45185
Published: 07 January 2025
Description
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.
Security Summary
CVE-2022-45185 is a deserialization vulnerability (CWE-502) discovered in SuiteCRM version 7.12.7. It enables authenticated users to upload malicious files via CRM functions, which can then be leveraged for remote code execution. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The attack requires low-privilege authenticated access and can be carried out remotely with low complexity and no user interaction. An exploiting user can achieve arbitrary code execution on the affected server, resulting in high impacts to confidentiality, integrity, and availability.
Advisories and patches are referenced in the SuiteCRM 7.12.x release documentation at https://docs.suitecrm.com/admin/releases/7.12.x/. Proof-of-concept code demonstrating the exploit is publicly available in the Orange Cyberdefense CVE repository at https://github.com/Orange-Cyberdefense/CVE-repository/ and specifically at https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/poc_SuiteCRM.py.
Details
- CWE(s)