SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.

AI Analysis

A vulnerability in SuiteCRM's legacy iCal service allows unauthenticated access to meeting data, enabling attackers to view any user's calendar events and potentially enumerate users. This issue is fixed in versions 7.14.7 and 8.8.1.

Basic Information

ID CVE-2025-54786

Source GitHub_M

Published Aug 6, 2025 at 23:23

Affected Product

Vendor SuiteCRM

Product SuiteCRM-Core

Version >= 8.8.0, < 8.8.1

Affected Versions SuiteCRM SuiteCRM-Core >= 8.8.0, < 8.8.1
SuiteCRM SuiteCRM-Core >= 7.14.6, < 7.14.7

CWE Classification

CWE-200 CWE-284 CWE-287

AI Assessment

AI Severity Medium

Vendor SuiteCRM

Product SuiteCRM

Version 8.8.0, 7.14.6

References

{
    "lastseen": "",
    "description": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.",
    "published": "2025-08-06T23:23:00.948Z",
    "modified": "2025-08-06T23:23:00.948Z",
    "type": "cve",
    "title": "SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data",
    "source": "GitHub_M",
    "references": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm\nhttps://docs.suitecrm.com/8.x/admin/releases/8.8",
    "id": "CVE-2025-54786",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-284",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "SuiteCRM SuiteCRM-Core >= 8.8.0, < 8.8.1\nSuiteCRM SuiteCRM-Core >= 7.14.6, < 7.14.7",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SuiteCRM-Core",
    "version": ">= 8.8.0, < 8.8.1",
    "vendor": "SuiteCRM",
    "ai_description": "A vulnerability in SuiteCRM's legacy iCal service allows unauthenticated access to meeting data, enabling attackers to view any user's calendar events and potentially enumerate users. This issue is fixed in versions 7.14.7 and 8.8.1.",
    "ai_severity": "Medium",
    "ai_vendor": "SuiteCRM",
    "ai_product": "SuiteCRM",
    "ai_version": "8.8.0, 7.14.6",
    "ai_score": 0
}