CVE-2023-47643
LOW EXPLOITED NUCLEISuiteCRM < 8.4.2 - Unauthenticated Exposure of Sensitive Information via GraphQL Introspection
Title source: llmExploitation Summary
CVE-2023-47643 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
Nuclei Templates (1)
SuiteCRM Unauthenticated Graphql Introspection
MEDIUMVERIFIEDby isacaya
Shodan:
title:"SuiteCRM" || http.title:"suitecrm"
FOFA:
title="suitecrm"
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr
Patch x_refsource_misc
https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33
Technical Description x_refsource_misc
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/
Scores
CVSS v3
3.1
EPSS
0.0300
EPSS Percentile
85.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2024-12-24
CWE
CWE-200
Status
published
Products (1)
salesagility/suitecrm
8.4.1
Published
Nov 21, 2023
Tracked Since
Feb 18, 2026