cbcvebase.
CVE-2023-47643
published 2023-11-21

CVE-2023-47643: SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication…

PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.00%
85.7th percentile
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.

Affected

2 ranges
VendorProductVersion rangeFixed in
salesagilitysuitecrm
salesagilitysuitecrm-core< 8.4.28.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/graphql
command{"query":"query IntrospectionQuery {\r\n __schema {\r\n \r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n \r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n \r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n \r\n \r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }"}
cookieXSRF-TOKEN
  • Send an unauthenticated POST to /api/graphql with a GraphQL IntrospectionQuery payload and Content-Type: application/json; a vulnerable SuiteCRM instance returns HTTP 200 with body fields 'userHash', 'authenticateId', and 'systemGeneratedPassword' all present simultaneously.
  • The exploit requires a two-step HTTP flow: first GET / to harvest the XSRF-TOKEN cookie from the response headers, then POST /api/graphql supplying that token in the X-XSRF-TOKEN request header alongside the introspection query body.
  • Shodan/FOFA/Google dork fingerprinting for exposed SuiteCRM instances: search for page title 'SuiteCRM' to identify potential targets.
  • Sensitive fields exposed via unauthenticated introspection include 'userHash', 'authenticateId', and 'systemGeneratedPassword' — monitor GraphQL responses for these field names in unauthenticated sessions.
  • ·There are no known workarounds for this issue other than upgrading to the patched version.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck3.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.