CVE-2025-54787
BaseFortify
Publication date: 2025-08-07
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salesagility | suitecrm | From 8.6.0 (inc) to 8.8.1 (exc) |
| salesagility | suitecrm | 7.14.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SuiteCRM version 7.14.6 allows an unauthenticated attacker to download any file from the upload-directory if the file is named by an ID, such as attachments. The attacker can access internal files by discovering a valid file-ID, which can be brute-forced but is time-consuming due to the use of UUIDs as file-IDs. The issue is fixed in version 7.14.7.
How can this vulnerability impact me? :
An attacker could gain unauthorized access to internal files stored in the upload-directory of SuiteCRM, potentially exposing sensitive information. Although brute-forcing valid file-IDs is difficult, successful exploitation could lead to information disclosure without any authentication required.
What immediate steps should I take to mitigate this vulnerability?
Upgrade SuiteCRM to version 7.14.7 or later, where this vulnerability is fixed.