CVE-2025-64490
BaseFortify
Publication date: 2025-11-08
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salesagility | suitecrm | to 7.14.8 (exc) |
| salesagility | suitecrm | From 8.0.0 (inc) to 8.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SuiteCRM allows a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules are explicitly disabled or set to none in Role Management. This happens due to inconsistent enforcement of Access Control Lists (ACL) and Role-Based Access Control (RBAC) across different modules and views, leading to unauthorized data exposure and modification.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized users accessing and modifying sensitive data within SuiteCRM, such as projects, tasks, leads, accounts, meetings, and calls. This unauthorized access can compromise data confidentiality and integrity, potentially leading to data breaches, operational disruptions, and loss of trust.
What immediate steps should I take to mitigate this vulnerability?
Upgrade SuiteCRM to version 7.14.8 or later, or 8.9.1 or later, where this vulnerability is fixed. Additionally, review and correct Role Management settings to ensure that modules are properly restricted and access control is consistently enforced.