SuiteCRM is Vulnerable to PHP Object Injection in Reports

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.

Basic Information

ID CVE-2025-54785

Source GitHub_M

Published Aug 6, 2025 at 23:15

Modified Aug 7, 2025 at 14:48

Affected Product

Vendor SuiteCRM

Product SuiteCRM

Version >= 7.14.6, < 7.14.7

Affected Versions SuiteCRM SuiteCRM >= 7.14.6, < 7.14.7
SuiteCRM SuiteCRM >= 8.8.0, < 8.8.1

CWE Classification

CWE-20

References

{
    "lastseen": "",
    "description": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6  and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.",
    "published": "2025-08-06T23:15:16.718Z",
    "modified": "2025-08-07T14:48:26.266Z",
    "type": "cve",
    "title": "SuiteCRM is Vulnerable to PHP Object Injection in Reports",
    "source": "GitHub_M",
    "references": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-53cp-mpfw-qj67\nhttps://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7",
    "id": "CVE-2025-54785",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "SuiteCRM SuiteCRM >= 7.14.6, < 7.14.7\nSuiteCRM SuiteCRM >= 8.8.0, < 8.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SuiteCRM",
    "version": ">= 7.14.6, < 7.14.7",
    "vendor": "SuiteCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SuiteCRM is Vulnerable to PHP Object Injection in Reports_CVE-2025-54785