CVE-2023-47643: SuiteCRM has Unauthenticated Graphql Introspection Enabled
First published: Tue Nov 21 2023(Updated: )
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SalesAgility SuiteCRM | =8.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-47643?
CVE-2023-47643 is a vulnerability in SuiteCRM where Graphql Introspection is enabled without authentication.
What is SuiteCRM?
SuiteCRM is a Customer Relationship Management (CRM) software application.
What is the severity of CVE-2023-47643?
CVE-2023-47643 has a severity rating of 5.3 (medium).
How does CVE-2023-47643 affect SuiteCRM?
CVE-2023-47643 affects SuiteCRM version 8.4.1.
How can an attacker exploit CVE-2023-47643?
An attacker can exploit CVE-2023-47643 by obtaining the GraphQL schema and understanding the entire structure of the application.
- collector/mitre-cve
- collector/nvd-api
- vendor/salesagility
- canonical/salesagility suitecrm
- version/salesagility suitecrm/8.4.1