CVE-2024-36407
LOWDescription
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| salesagility | suitecrm |
| salesagility | suitecrm |
References
Frequently Asked Questions
What is CVE-2024-36407? +
How severe is CVE-2024-36407? +
What products are affected by CVE-2024-36407? +
How do I check if I'm vulnerable to CVE-2024-36407? +
Related Vulnerabilities
This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An …
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server …
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a `ClientPasswordReset` record already …
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, …
The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the …
flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset …