SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality

Advisories

severity: high
date: November 6, 2025
Affecting: SuiteCRM < 7.12.6
CVE: CVE-2022-50590
CWE: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
CVSS: 8.8
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
References: SuiteCRM Release Notes
Exodus Intelligence Disclosure
Credit: Exodus Intelligence
Description: SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the 'module' parameter within the 'deleteAttachment' functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.