CVE-2022-50590 | THREATINT

Description

SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.

PUBLISHED Reserved 2025-11-05 | Published 2025-11-06 | Updated 2025-11-06 | Assigner VulnCheck

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Product status

Default status

unaffected

Any version before 7.12.6

affected

Timeline

2022-06-09:	Exodus Intelligence publicly discloses technical details of vulnerability.
2022-05-24:	SuiteCRM releases patched version - 7.12.6.

Credits

Exodus Intelligence finder

References

docs.suitecrm.com/admin/releases/7.12.x/ vendor-advisory patch

blog.exodusintel.com/...chment-type-confusion-vulnerability/ technical-description

www.vulncheck.com/...sion-via-deleteattachment-functionality third-party-advisory

cve.org (CVE-2022-50590)

nvd.nist.gov (CVE-2022-50590)

Download JSON

help @ threatint.eu