CVE-2026-29096

{"id": "CVE-2026-29096", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-19T23:16:41.407", "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con clientes (CRM) de c\u00f3digo abierto, lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, al crear o editar un informe (m\u00f3dulo AOR_Reports), el par\u00e1metro 'field_function' de los datos POST se guarda directamente en la tabla 'aor_fields' sin ninguna validaci\u00f3n. M\u00e1s tarde, cuando el informe se ejecuta/visualiza, este valor se concatena directamente en una consulta SQL SELECT sin saneamiento, lo que permite una inyecci\u00f3n SQL de segundo orden. Cualquier usuario autenticado con acceso a Informes puede extraer contenido arbitrario de la base de datos (hashes de contrase\u00f1as, tokens de API, valores de configuraci\u00f3n). En MySQL con privilegio FILE, esto podr\u00eda llevar a RCE a trav\u00e9s de SELECT INTO OUTFILE. Las versiones 7.15.1 y 8.9.3 corrigen el problema."}], "lastModified": "2026-03-24T14:58:53.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99", "versionEndExcluding": "7.15.1"}, {"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF", "versionEndExcluding": "8.9.3", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}