What is the severity of CVE-2024-36407?

The severity of CVE-2024-36407 is considered moderate due to the potential for user annoyance and impact on account security.

How do I fix CVE-2024-36407?

To fix CVE-2024-36407, upgrade SuiteCRM to version 7.14.4 or 8.6.1 or later.

What versions of SuiteCRM are impacted by CVE-2024-36407?

CVE-2024-36407 affects SuiteCRM versions prior to 7.14.4 and between 8.0.0 and 8.6.1.

Can an attacker gain access to user accounts through CVE-2024-36407?

No, the attacker cannot gain access to user accounts as they do not receive the new password.

What kind of attack does CVE-2024-36407 describe?

CVE-2024-36407 describes an unauthenticated password reset vulnerability.

Vulnerability/
CVE-2024-36407

medium

6.5

CWE

640

10/6/2024

2/8/2024

CVE-2024-36407: SuiteCRM unauthenticated user password reset on php7

First published: Mon Jun 10 2024(Updated: )

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
SugarCRM	<7.14.4
SugarCRM	>=8.0.0<8.6.1

Never miss a vulnerability like this again

Reference Links

https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r

Frequently Asked Questions

What is the severity of CVE-2024-36407?
The severity of CVE-2024-36407 is considered moderate due to the potential for user annoyance and impact on account security.
How do I fix CVE-2024-36407?
To fix CVE-2024-36407, upgrade SuiteCRM to version 7.14.4 or 8.6.1 or later.
What versions of SuiteCRM are impacted by CVE-2024-36407?
CVE-2024-36407 affects SuiteCRM versions prior to 7.14.4 and between 8.0.0 and 8.6.1.
Can an attacker gain access to user accounts through CVE-2024-36407?
No, the attacker cannot gain access to user accounts as they do not receive the new password.
What kind of attack does CVE-2024-36407 describe?
CVE-2024-36407 describes an unauthenticated password reset vulnerability.

agent/title
agent/weakness
agent/references
agent/type
agent/first-publish-date
agent/author
agent/event
agent/severity
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/salesagility
canonical/sugarcrm
version/sugarcrm/8.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.