CVE-2021-25961
First published: Wed Sep 29 2021(Updated: )
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SalesAgility SuiteCRM | >=7.1.7<7.10.32 | |
| SalesAgility SuiteCRM | >=7.11.0<7.11.21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-25961?
CVE-2021-25961 is a vulnerability in the SuiteCRM application that allows for account takeover of newly created users with the same user ID as a deleted user.
What is the severity of CVE-2021-25961?
CVE-2021-25961 has a severity level of high (8 out of 10).
How does CVE-2021-25961 work?
CVE-2021-25961 occurs due to a failure in properly invalidating password reset links associated with a deleted user ID, allowing for potential account takeover by new users with the same user ID.
Which versions of SuiteCRM are affected by CVE-2021-25961?
SuiteCRM versions v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 are affected by CVE-2021-25961.
How can I fix CVE-2021-25961?
To fix CVE-2021-25961, users should update to SuiteCRM versions 7.10.32 or later for v7.1.x, and 7.11.21 or later for v7.11.x.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/salesagility
- canonical/salesagility suitecrm
- version/salesagility suitecrm/7.1.7
- version/salesagility suitecrm/7.11.0