{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50590","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-11-05T14:54:49.234Z","datePublished":"2025-11-06T19:59:36.078Z","dateUpdated":"2025-11-28T17:44:13.637Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["‘deleteAttachment’ functionality","‘module’ parameter"],"product":"SuiteCRM","repo":"https://github.com/SuiteCRM/SuiteCRM","vendor":"SuiteCRM","versions":[{"lessThan":"7.12.6","status":"affected","version":"0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*","versionEndExcluding":"7.12.6","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Exodus Intelligence"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator."}],"value":"SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-843","description":"CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-11-28T17:44:13.637Z"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_6"},{"tags":["technical-description"],"url":"https://blog.exodusintel.com/2022/06/09/salesagility-suitecrm-deleteattachment-type-confusion-vulnerability/"},{"tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/suitecrm-type-confusion-via-deleteattachment-functionality"}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2022-06-09T16:00:00.000Z","value":"Exodus Intelligence publicly discloses technical details of vulnerability."},{"lang":"en","time":"2022-05-24T16:00:00.000Z","value":"SuiteCRM releases patched version - 7.12.6."}],"title":"SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-06T20:25:56.333719Z","id":"CVE-2022-50590","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-06T20:26:09.006Z"}}]}}