.. / CVE-2024-36412

Exploit for SuiteCRM <= 7.14.3 and 8.6.0 - Unauthenticated SQL Injection (CVE-2024-36412)

Description:

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the events response entry point allows for a SQL injection attack. This makes it possible for unauthenticated attackers to append additional SQL queries into existing queries, which can be used to extract sensitive information from the database.

Affected Products:

Proof of Concept

PoC exploits

Nuclei Template

View the template here CVE-2024-36412.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-36412.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-36412
https://0x5001.com/web-security/cve-2024-36412-proof-of-concept