CVE-2021-25961

Severity CVSS v4.0:
Pending analysis
Type:
CWE-640 Weak Password Recovery Mechanism for Forgotten Password
Publication date:
29/09/2021
Last modified:
07/10/2021

Description

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:* 7.1.7 (including) 7.10.32 (excluding)
cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:* 7.11.0 (including) 7.11.21 (excluding)