Vulnerability Description
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Salesagility | Suitecrm | 8.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c9122260Patch
- https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfvExploitVendor Advisory
- https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphTechnical Description
- https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c9122260Patch
- https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfvExploitVendor Advisory
- https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphTechnical Description
FAQ
What is CVE-2023-47643?
CVE-2023-47643 is a vulnerability with a CVSS score of 3.1 (LOW). SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object type...
How severe is CVE-2023-47643?
CVE-2023-47643 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-47643?
Check the references section above for vendor advisories and patch information. Affected products include: Salesagility Suitecrm.