SuiteCRM is Vulnerable to PHP Object Injection in Reports -...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.

AI Analysis

SuiteCRM versions 7.14.6 and 8.8.0 are vulnerable to PHP Object Injection due to improper validation of user input, which could allow attacks like privilege escalation and data exposure. This issue is resolved in versions 7.14.7 and 8.8.1.

Basic Information

ID CVE-2025-54785

Source GitHub_M

Published Aug 6, 2025 at 23:15

Affected Product

Vendor SuiteCRM

Product SuiteCRM

Version >= 7.14.6, < 7.14.7

Affected Versions SuiteCRM SuiteCRM >= 7.14.6, < 7.14.7
SuiteCRM SuiteCRM >= 8.8.0, < 8.8.1

CWE Classification

CWE-20

AI Assessment

AI Severity High

Vendor SuiteCRM Project

Product SuiteCRM

Version 7.14.6, 8.8.0

References

{
    "lastseen": "",
    "description": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.",
    "published": "2025-08-06T23:15:16.718Z",
    "modified": "2025-08-06T23:15:47.710Z",
    "type": "cve",
    "title": "SuiteCRM is Vulnerable to PHP Object Injection in Reports",
    "source": "GitHub_M",
    "references": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-53cp-mpfw-qj67\nhttps://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7",
    "id": "CVE-2025-54785",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "SuiteCRM SuiteCRM >= 7.14.6, < 7.14.7\nSuiteCRM SuiteCRM >= 8.8.0, < 8.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SuiteCRM",
    "version": ">= 7.14.6, < 7.14.7",
    "vendor": "SuiteCRM",
    "ai_description": "SuiteCRM versions 7.14.6 and 8.8.0 are vulnerable to PHP Object Injection due to improper validation of user input, which could allow attacks like privilege escalation and data exposure. This issue is resolved in versions 7.14.7 and 8.8.1.",
    "ai_severity": "High",
    "ai_vendor": "SuiteCRM Project",
    "ai_product": "SuiteCRM",
    "ai_version": "7.14.6, 8.8.0",
    "ai_score": 0
}