CVE-2025-64490
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-08

Last updated on: 2025-11-25

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-08
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-11-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64490
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
salesagility suitecrm to 7.14.8 (exc)
salesagility suitecrm From 8.0.0 (inc) to 8.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in SuiteCRM allows a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules are explicitly disabled or set to none in Role Management. This happens due to inconsistent enforcement of Access Control Lists (ACL) and Role-Based Access Control (RBAC) across different modules and views, leading to unauthorized data exposure and modification.

Impact Analysis

The vulnerability can lead to unauthorized users accessing and modifying sensitive data within SuiteCRM, such as projects, tasks, leads, accounts, meetings, and calls. This unauthorized access can compromise data confidentiality and integrity, potentially leading to data breaches, operational disruptions, and loss of trust.

Mitigation Strategies

Upgrade SuiteCRM to version 7.14.8 or later, or 8.9.1 or later, where this vulnerability is fixed. Additionally, review and correct Role Management settings to ensure that modules are properly restricted and access control is consistently enforced.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart