CVE-2023-6388 - OpenCVE

Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is vulnerable to SSRF.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Salesagility	Suitecrm

Configuration 1 [-]

cpe:2.3:a:salesagility:suitecrm:7.14.2:*:*:*:*:*:*:*

References

Link	Resource
https://fluidattacks.com/advisories/leon/	Exploit Third Party Advisory
https://github.com/salesagility/SuiteCRM/	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2024-02-07T02:47:59.391Z

Updated: 2024-07-05T17:21:39.515Z

Reserved: 2023-11-29T18:12:28.111Z

Link: CVE-2023-6388

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-02-07T03:15:49.857

Modified: 2024-02-14T20:15:52.940

Link: CVE-2023-6388

JSON object: View

Redhat Information

No data.

CWE

CWE-918

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6388", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2023-11-29T18:12:28.111Z", "datePublished": "2024-02-07T02:47:59.391Z", "dateUpdated": "2024-07-05T17:21:39.515Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Suite CRM", "vendor": "Suite CRM", "versions": [{"status": "affected", "version": "7.14.2"}]}], "datePublic": "2024-02-07T02:43:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>Suite CRM version 7.14.2 allows making arbitrary HTTP requests through</div><div>the vulnerable server. This is possible because the application is vulnerable</div><div>to SSRF.</div></div><br>"}], "value": "Suite CRM version 7.14.2 allows making arbitrary HTTP requests through\n\nthe vulnerable server. This is possible because the application is vulnerable\n\nto SSRF.\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-300", "descriptions": [{"lang": "en", "value": "CAPEC-300 Port Scanning"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2024-02-07T02:47:59.391Z"}, "references": [{"url": "https://fluidattacks.com/advisories/leon/"}, {"url": "https://github.com/salesagility/SuiteCRM/"}], "source": {"discovery": "EXTERNAL"}, "title": "Suite CRM v7.14.2 - SSRF", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-07T16:21:56.230019Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:39.515Z"}}]}}