SuiteCRM まで7.10.34/7.12.1 ZIP Archive UpgradeWizard 未知の脆弱性

フィールド2022年01月13日 06:242022年01月15日 11:08
nameSuiteCRMSuiteCRM
version<=7.10.34/7.12.1<=7.10.34/7.12.1
componentZIP Archive HandlerZIP Archive Handler
functionUpgradeWizardUpgradeWizard
cwe352 (クロスサイトリクエストフォージェリ)352 (クロスサイトリクエストフォージェリ)
risk11
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_uiRR
cvss3_vuldb_sUU
cvss3_vuldb_cNN
cvss3_vuldb_iLL
cvss3_vuldb_aNN
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
urlhttps://github.com/ach-ing/cves/blob/main/CVE-2021-41597.mdhttps://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md
nameUpgradeUpgrade
upgrade_version7.10.35/7.12.27.10.35/7.12.2
cveCVE-2021-41597CVE-2021-41597
cve_assigned16324344001632434400
date1642028400 (2022年01月13日)1642028400 (2022年01月13日)
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciNN
cvss2_vuldb_iiPP
cvss2_vuldb_aiNN
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_eNDND
cvss3_vuldb_eXX
cvss2_vuldb_basescore5.05.0
cvss2_vuldb_tempscore4.44.4
cvss3_vuldb_basescore4.34.3
cvss3_vuldb_tempscore4.14.1
cvss3_meta_basescore4.34.3
cvss3_meta_tempscore4.14.1
price_0day$0-$5k$0-$5k
cve_nvd_summarySuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

Interested in the pricing of exploits?

See the underground prices here!