Beware of Local File Inclusion Vulnerability in SuiteCRM Customer Relationship Management Software

CVSScvssV3_1: 9.9

SuiteCRM, an open source customer relationship management (CRM) software, has been found vulnerable to a local file inclusion (LFI) vulnerability. LFI allows an attacker to include local files on the web server that is running the application. This can potentially expose sensitive configuration files or allow the execution of code.

The vulnerability tracked as CVE-2024-1644 has a CVSS score of 9.9, meaning it is critical. It is caused due to SuiteCRM version 7.14.2 allowing the inclusion of local PHP files. An attacker can craft a specially crafted request to include files like /etc/passwd or other system files to gain information. They may also be able to include PHP files and potentially execute code on the server.

If you are using SuiteCRM, you should immediately update to the latest version 7.14.3 which fixes this vulnerability. Regularly applying software updates is important as it patches security issues. You should also review your server configuration and restrict file inclusion to only necessary files. Enabling PHP filters and properly configuring permissions can reduce risks from such vulnerabilities.

Staying on top of security advisories and updates is key to protect your CRM data and systems from exploits. We recommend users take action now to patch their SuiteCRM installations to prevent any potential attacks using this vulnerability.