CVE-2025-54786
BaseFortify
Publication date: 2025-08-07
Last updated on: 2025-08-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salesagility | suitecrm | 7.14.6 |
| salesagility | suitecrm | 8.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a broken authentication issue in the legacy iCal service of SuiteCRM versions 7.14.6 and 8.8.0. It allows an unauthenticated attacker to access meeting (calendar event) data of any user if they know the username. Additionally, the vulnerability enables user enumeration through related functionality. The issue is fixed in versions 7.14.7 and 8.8.1.
How can this vulnerability impact me? :
An attacker can view private meeting data of any user without authentication, potentially exposing sensitive scheduling information. This unauthorized access could lead to privacy breaches and misuse of confidential calendar information.
What immediate steps should I take to mitigate this vulnerability?
Upgrade SuiteCRM to version 7.14.7 or 8.8.1 or later, as these versions contain the fix for the broken authentication in the legacy iCal service that allows unauthenticated access to meeting data.