CVE-2025-64490
HIGHSuiteCRM < 7.14.8 - Incorrect Authorization in Resource Calendar and Project Screens
Title source: llmDescription
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2
Scores
CVSS v3
8.3
EPSS
0.0023
EPSS Percentile
13.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (1)
salesagility/suitecrm
< 7.14.8
Published
Nov 08, 2025
Tracked Since
Feb 18, 2026