CVE-2022-23940

HIGH

SuiteCRM <8.0.1 - Authenticated RCE

Title source: llm

Description

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.

Exploits (1)

nomisec WORKING POC 12 stars
by manuelz120 · poc
https://github.com/manuelz120/CVE-2022-23940

References (2)

Scores

CVSS v3 8.8
EPSS 0.3587
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

salesagility/suitecrm < 7.12.5

Timeline

Published Mar 10, 2022
Tracked Since Feb 18, 2026