CVE-2022-50590
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
A type confusion vulnerability in SuiteCRM prior to version 7.12.6 occurs during processing of the 'module' parameter in the 'deleteAttachment' functionality. A remote unauthenticated attacker can alter database objects, including changing the administrator's email address.
Risk Assessment
The risk involves potential takeover of the administrator account by changing their email address, which could lead to full compromise of the CRM system and exposure of sensitive data.
Recommendation
Immediately upgrade SuiteCRM to version 7.12.6 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.

