/cves/ Recent content in CVEs on SECarius Hugo en Wed, 12 Feb 2025 00:00:00 +0000 /cves/cve_2024_36415_what_is_rce_after_all_just_a_puzzle_put_together/ Wed, 12 Feb 2025 00:00:00 +0000 /cves/cve_2024_36415_what_is_rce_after_all_just_a_puzzle_put_together/ <p>Hey there,</p> <p>For the part two of the series on my SuiteCRM vulnerabilities, I&rsquo;ll explain how I managed, with a bit of creativity, to chain a few vulnerabilities and strange features together to achieve Remote Code Execution (RCE) on the SuiteCRM application.</p> <p>Reminder: You might want to read the first part of the series, where I detail what is SuiteCRM and how I found the first vulnerability in the application. You can find it <a href="/cves/cve_2024_36412_using_filters_against_filters_unexpected_sql_injection/">here</a>. Everything here is done on a private lab</p> /cves/cve_2024_36412_using_filters_against_filters_unexpected_sql_injection/ Mon, 10 Feb 2025 00:00:00 +0000 /cves/cve_2024_36412_using_filters_against_filters_unexpected_sql_injection/ <h1 id="introduction">Introduction</h1> <p>Hello there,</p> <p>Since this is my first article in years, I needed something cool to write about. So, I finally decided to cover the CVEs I discovered last year in the popular tool SuiteCRM.</p> <p>Back in February 2024, when I was still a full-time pentester, I was assigned a one-week pentest for a client. Looking at the scope, I came across a tool I had never seen before: SuiteCRM.</p>