SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.

Basic Information

ID CVE-2025-54786

Source GitHub_M

Published Aug 6, 2025 at 23:23

Modified Aug 7, 2025 at 14:47

Affected Product

Vendor SuiteCRM

Product SuiteCRM-Core

Version >= 8.8.0, < 8.8.1

Affected Versions SuiteCRM SuiteCRM-Core >= 8.8.0, < 8.8.1
SuiteCRM SuiteCRM-Core >= 7.14.6, < 7.14.7

CWE Classification

CWE-200 CWE-284 CWE-287

References

{
    "lastseen": "",
    "description": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.",
    "published": "2025-08-06T23:23:00.948Z",
    "modified": "2025-08-07T14:47:54.710Z",
    "type": "cve",
    "title": "SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data",
    "source": "GitHub_M",
    "references": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm\nhttps://docs.suitecrm.com/8.x/admin/releases/8.8",
    "id": "CVE-2025-54786",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-284",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "SuiteCRM SuiteCRM-Core >= 8.8.0, < 8.8.1\nSuiteCRM SuiteCRM-Core >= 7.14.6, < 7.14.7",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SuiteCRM-Core",
    "version": ">= 8.8.0, < 8.8.1",
    "vendor": "SuiteCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data_CVE-2025-54786