SuiteCRM up to 7.10.34/7.12.1 ZIP Archive UpgradeWizard cross-site request forgery

A vulnerability was found in SuiteCRM up to 7.10.34/7.12.1. It has been classified as problematic. Affected is the function UpgradeWizard of the component ZIP Archive Handler. Upgrading to version 7.10.35 or 7.12.2 eliminates this vulnerability.

Field01/13/2022 06:24 AM01/15/2022 11:08 AM
nameSuiteCRMSuiteCRM
version<=7.10.34/7.12.1<=7.10.34/7.12.1
componentZIP Archive HandlerZIP Archive Handler
functionUpgradeWizardUpgradeWizard
cwe352 (cross site request forgery)352 (cross site request forgery)
risk11
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_uiRR
cvss3_vuldb_sUU
cvss3_vuldb_cNN
cvss3_vuldb_iLL
cvss3_vuldb_aNN
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
urlhttps://github.com/ach-ing/cves/blob/main/CVE-2021-41597.mdhttps://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md
nameUpgradeUpgrade
upgrade_version7.10.35/7.12.27.10.35/7.12.2
cveCVE-2021-41597CVE-2021-41597
cve_assigned16324344001632434400
date1642028400 (01/13/2022)1642028400 (01/13/2022)
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciNN
cvss2_vuldb_iiPP
cvss2_vuldb_aiNN
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_eNDND
cvss3_vuldb_eXX
cvss2_vuldb_basescore5.05.0
cvss2_vuldb_tempscore4.44.4
cvss3_vuldb_basescore4.34.3
cvss3_vuldb_tempscore4.14.1
cvss3_meta_basescore4.34.3
cvss3_meta_tempscore4.14.1
price_0day$0-$5k$0-$5k
cve_nvd_summarySuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

Want to stay up to date on a daily basis?

Enable the mail alert feature now!