cbcvebase.
CVE-2024-36412
published 2024-06-10

CVE-2024-36412: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.69%
92.0th percentile
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
salesagilitysuitecrm< 7.14.47.14.4
salesagilitysuitecrm
salesagilitysuitecrm>= 8.0.0 < 8.6.18.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?entryPoint=responseEntryPoint&event=1&delegate=a=6"
  • Look for HTTP GET requests targeting the `responseEntryPoint` entry point with a `delegate` parameter containing SQL injection payloads (e.g., unescaped quotes or time-based blind SQLi syntax).
  • Successful exploitation responses contain one of two specific strings in the HTTP body, indicating the injection was processed by the events response handler.
  • Use Shodan/FOFA queries to identify exposed SuiteCRM instances as potential targets; title-based fingerprinting is reliable for this product.
  • The vulnerability is unauthenticated (PR:N, UI:N) and time-based SQL injection; monitor for anomalous slow queries or delayed responses on `/index.php?entryPoint=responseEntryPoint` paths.
  • Tag detection rules with `time-based-sqli`, `suitecrm`, and `sqli` for triage; EPSS score of 0.93636 (99.8th percentile) indicates very high exploitation probability in the wild.
  • ·The Nuclei template uses a 15-second timeout to accommodate time-based blind SQLi delays; detection rules or WAF signatures should account for intentionally slow responses on this endpoint.
  • ·Affected versions are strictly prior to 7.14.4 and 8.6.1; version checks should target the CPE `cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*` with upper bounds at those fixed releases.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.