CVE-2023-47643

SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
Configurations

Configuration 1 (hide)

cpe:2.3:a:salesagility:suitecrm:8.4.1:*:*:*:*:*:*:*

History

29 Nov 2023, 02:36

Type Values Removed Values Added
CPE cpe:2.3:a:salesagility:suitecrm:8.4.1:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
First Time Salesagility
Salesagility suitecrm
References () https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr - () https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr - Exploit, Vendor Advisory
References () https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33 - () https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33 - Patch
References () https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/ - () https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/ - Technical Description

21 Nov 2023, 20:31

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-21 20:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-47643

Mitre link : CVE-2023-47643

CVE.ORG link : CVE-2023-47643


JSON object : View

Products Affected

salesagility

  • suitecrm
CWE
NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor