CVE-2022-45186

HighPublic PoC

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0013 31.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.

Security Summary

CVE-2022-45186 is a vulnerability discovered in SuiteCRM version 7.12.7 that allows authenticated users to recover an arbitrary field from the database. This flaw affects the open-source customer relationship management software SuiteCRM, specifically the 7.12.7 release, enabling unauthorized access to sensitive database content beyond the user's privileges.

The vulnerability can be exploited over the network with low complexity by users with low privileges, such as any authenticated account, requiring no user interaction. Successful exploitation grants high-impact confidentiality by allowing recovery of arbitrary database fields and high-impact integrity by potentially enabling unauthorized modifications, with no impact on availability, as reflected in its CVSS v3.1 base score of 8.1.

Mitigation details are available in the SuiteCRM 7.12.x release documentation, which covers patches and updates for affected versions. Additional resources include the Orange Cyberdefense CVE repository and a corresponding proof-of-concept script demonstrating the issue.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

salesagility

suitecrm

7.12.7

References

https://docs.suitecrm.com/admin/releases/7.12.x/
Release Notes · cve@mitre.org
https://github.com/Orange-Cyberdefense/CVE-repository/
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/poc_SuiteCRM.py
Exploit · cve@mitre.org