CVE-2025-64490

{"id": "CVE-2025-64490", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 2.8}]}, "published": "2025-11-08T01:15:38.830", "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con el cliente (CRM) de c\u00f3digo abierto y lista para empresas. Las versiones 7.14.7 y anteriores, 8.0.0-beta.1 hasta la 8.9.0 permiten a un usuario con bajos privilegios y un rol restrictivo ver y crear elementos de trabajo a trav\u00e9s del Calendario de Recursos y las pantallas de proyectos, incluso cuando los m\u00f3dulos relacionados (Proyectos, Tareas de Proyecto, Tareas, Clientes Potenciales, Cuentas, Reuniones, Llamadas) est\u00e1n expl\u00edcitamente configurados como Deshabilitado/Ninguno en la Gesti\u00f3n de Roles. Esto indica una aplicaci\u00f3n inconsistente de ACL/RBAC entre m\u00f3dulos y vistas, lo que resulta en exposici\u00f3n y modificaci\u00f3n de datos no autorizadas. Este problema est\u00e1 solucionado en las versiones 7.14.8 y 8.9.1."}], "lastModified": "2025-11-25T17:32:46.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37968BEF-2577-4B8F-AE06-8C9DCEB9C84B", "versionEndExcluding": "7.14.8"}, {"criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DFDEB5D-4821-41F8-AEBB-38D394739DDE", "versionEndExcluding": "8.9.1", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}