{"id":10340,"date":"2025-11-11T19:41:34","date_gmt":"2025-11-11T12:41:34","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10340"},"modified":"2026-02-03T19:43:12","modified_gmt":"2026-02-03T12:43:12","slug":"rui-ro-ro-ri-du-lieu-tu-hai-lo-hong-sql-tren-suitecrm","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/11\/11\/rui-ro-ro-ri-du-lieu-tu-hai-lo-hong-sql-tren-suitecrm\/","title":{"rendered":"R\u1ee7i ro r\u00f2 r\u1ec9 d\u1eef li\u1ec7u t\u1eeb hai l\u1ed7 h\u1ed5ng SQL tr\u00ean SuiteCRM"},"content":{"rendered":"

SuiteCRM l\u00e0 m\u1ed9t n\u1ec1n t\u1ea3ng qu\u1ea3n l\u00fd quan h\u1ec7 kh\u00e1ch h\u00e0ng (CRM) m\u00e3 ngu\u1ed3n m\u1edf, \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n d\u1ef1a tr\u00ean SugarCRM, cung c\u1ea5p \u0111\u1ea7y \u0111\u1ee7 c\u00e1c ch\u1ee9c n\u0103ng qu\u1ea3n l\u00fd kh\u00e1ch h\u00e0ng, b\u00e1n h\u00e0ng, marketing v\u00e0 h\u1ed7 tr\u1ee3 d\u1ecbch v\u1ee5. Nh\u1edd kh\u1ea3 n\u0103ng t\u00f9y bi\u1ebfn linh ho\u1ea1t, chi ph\u00ed tri\u1ec3n khai h\u1ee3p l\u00fd v\u00e0 c\u1ed9ng \u0111\u1ed3ng h\u1ed7 tr\u1ee3 r\u1ed9ng, SuiteCRM \u0111\u01b0\u1ee3c nhi\u1ec1u doanh nghi\u1ec7p v\u1eeba v\u00e0 nh\u1ecf t\u1ea1i Vi\u1ec7t Nam l\u1ef1a ch\u1ecdn, \u0111\u1eb7c bi\u1ec7t trong c\u00e1c l\u0129nh v\u1ef1c th\u01b0\u01a1ng m\u1ea1i, d\u1ecbch v\u1ee5 v\u00e0 c\u00f4ng ngh\u1ec7 th\u00f4ng tin. Tuy nhi\u00ean, vi\u1ec7c l\u01b0u tr\u1eef t\u1eadp trung l\u01b0\u1ee3ng l\u1edbn d\u1eef li\u1ec7u kh\u00e1ch h\u00e0ng c\u0169ng khi\u1ebfn n\u1ec1n t\u1ea3ng n\u00e0y tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau h\u1ea5p d\u1eabn c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng m\u1ea1ng.<\/p>\n

\"\"<\/p>\n

M\u1edbi \u0111\u00e2y, SuiteCRM \u0111\u00e3 ph\u00e1t \u0111i c\u1ea3nh b\u00e1o kh\u1ea9n sau khi ph\u00e1t hi\u1ec7n hai l\u1ed7 h\u1ed5ng SQL injection nghi\u00eam tr\u1ecdng t\u1ed3n t\u1ea1i trong c\u00e1c phi\u00ean b\u1ea3n c\u0169 c\u1ee7a h\u1ec7 th\u1ed1ng. Hai l\u1ed7 h\u1ed5ng n\u00e0y c\u00f3 th\u1ec3 cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 x\u00e1c th\u1ef1c khai th\u00e1c \u0111\u1ec3 tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m tr\u1ef1c ti\u1ebfp t\u1eeb c\u01a1 s\u1edf d\u1eef li\u1ec7u, g\u00e2y r\u1ee7i ro l\u1edbn cho th\u00f4ng tin kh\u00e1ch h\u00e0ng v\u00e0 ho\u1ea1t \u0111\u1ed9ng kinh doanh c\u1ee7a doanh nghi\u1ec7p.<\/p>\n

L\u1ed7 h\u1ed5ng \u0111\u1ea7u ti\u00ean, CVE-2025-64492, \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng cao v\u1edbi \u0111i\u1ec3m CVSS 8.8. \u0110\u00e2y l\u00e0 d\u1ea1ng time-based blind SQL injection, trong \u0111\u00f3 k\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng \u0111\u1ed9 tr\u1ec5 ph\u1ea3n h\u1ed3i c\u1ee7a h\u1ec7 th\u1ed1ng \u0111\u1ec3 suy lu\u1eadn v\u00e0 t\u1eebng b\u01b0\u1edbc r\u00fat tr\u00edch d\u1eef li\u1ec7u. N\u1ebfu khai th\u00e1c th\u00e0nh c\u00f4ng, \u0111\u1ed1i t\u01b0\u1ee3ng c\u00f3 th\u1ec3 li\u1ec7t k\u00ea c\u1ea5u tr\u00fac c\u01a1 s\u1edf d\u1eef li\u1ec7u, b\u1ea3ng, c\u1ed9t v\u00e0 thu th\u1eadp c\u00e1c th\u00f4ng tin nh\u1ea1y c\u1ea3m nh\u01b0 m\u1eadt kh\u1ea9u \u0111\u00e3 b\u0103m ho\u1eb7c d\u1eef li\u1ec7u kh\u00e1ch h\u00e0ng. L\u1ed7 h\u1ed5ng n\u00e0y y\u00eau c\u1ea7u t\u00e0i kho\u1ea3n \u0111\u00e3 x\u00e1c th\u1ef1c, do \u0111\u00f3 nguy c\u01a1 ch\u1ee7 y\u1ebfu \u0111\u1ebfn t\u1eeb c\u00e1c t\u00e0i kho\u1ea3n b\u1ecb chi\u1ebfm quy\u1ec1n ho\u1eb7c h\u00e0nh vi n\u1ed9i b\u1ed9 c\u00f3 ch\u1ee7 \u0111\u00edch.<\/p>\n

L\u1ed7 h\u1ed5ng th\u1ee9 hai, CVE-2025-64493, t\u1ed3n t\u1ea1i trong thao t\u00e1c appMetadata c\u1ee7a API GraphQL tr\u00ean c\u00e1c phi\u00ean b\u1ea3n SuiteCRM t\u1eeb 8.6.0 \u0111\u1ebfn 8.8.0. \u0110i\u1ec3m \u0111\u00e1ng lo ng\u1ea1i l\u00e0 l\u1ed7 h\u1ed5ng n\u00e0y kh\u00f4ng y\u00eau c\u1ea7u quy\u1ec1n qu\u1ea3n tr\u1ecb, ngh\u0129a l\u00e0 b\u1ea5t k\u1ef3 ng\u01b0\u1eddi d\u00f9ng \u0111\u00e3 \u0111\u0103ng nh\u1eadp n\u00e0o c\u0169ng c\u00f3 th\u1ec3 b\u1ecb l\u1ee3i d\u1ee5ng \u0111\u1ec3 th\u1ef1c hi\u1ec7n t\u1ea5n c\u00f4ng. T\u01b0\u01a1ng t\u1ef1 CVE-2025-64492, \u0111\u00e2y c\u0169ng l\u00e0 m\u1ed9t d\u1ea1ng SQL injection m\u00f9 d\u1ef1a tr\u00ean th\u1eddi gian, cho ph\u00e9p r\u00fat tr\u00edch d\u1eef li\u1ec7u m\u00e0 kh\u00f4ng \u0111\u1ec3 l\u1ea1i d\u1ea5u hi\u1ec7u r\u00f5 r\u00e0ng ngay l\u1eadp t\u1ee9c.<\/p>\n

SuiteCRM \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 cho c\u1ea3 hai l\u1ed7 h\u1ed5ng trong phi\u00ean b\u1ea3n 8.9.1 v\u00e0 khuy\u1ebfn ngh\u1ecb t\u1ea5t c\u1ea3 ng\u01b0\u1eddi d\u00f9ng n\u00e2ng c\u1ea5p ngay \u0111\u1ec3 lo\u1ea1i b\u1ecf nguy c\u01a1 b\u1ecb khai th\u00e1c. Ngo\u00e0i vi\u1ec7c c\u1eadp nh\u1eadt ph\u1ea7n m\u1ec1m, c\u00e1c chuy\u00ean gia an ninh c\u0169ng \u0111\u1ec1 xu\u1ea5t doanh nghi\u1ec7p \u00e1p d\u1ee5ng c\u00e1c bi\u1ec7n ph\u00e1p b\u1ed5 sung nh\u01b0 b\u1eadt x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1, h\u1ea1n ch\u1ebf truy c\u1eadp API GraphQL qua m\u1ea1ng n\u1ed9i b\u1ed9 ho\u1eb7c VPN, tri\u1ec3n khai t\u01b0\u1eddng l\u1eeda \u1ee9ng d\u1ee5ng web v\u00e0 t\u0103ng c\u01b0\u1eddng gi\u00e1m s\u00e1t nh\u1eadt k\u00fd truy v\u1ea5n, \u0111\u0103ng nh\u1eadp. Trong b\u1ed1i c\u1ea3nh c\u00e1c n\u1ec1n t\u1ea3ng CRM ng\u00e0y c\u00e0ng b\u1ecb tin t\u1eb7c nh\u1eafm \u0111\u1ebfn, vi\u1ec7c ch\u1ee7 \u0111\u1ed9ng v\u00e1 l\u1ed7i v\u00e0 si\u1ebft ch\u1eb7t ki\u1ec3m so\u00e1t b\u1ea3o m\u1eadt l\u00e0 y\u1ebfu t\u1ed1 then ch\u1ed1t \u0111\u1ec3 b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u v\u00e0 uy t\u00edn doanh nghi\u1ec7p.<\/p>\n","protected":false},"excerpt":{"rendered":"

SuiteCRM l\u00e0 m\u1ed9t n\u1ec1n t\u1ea3ng qu\u1ea3n l\u00fd quan h\u1ec7 kh\u00e1ch h\u00e0ng (CRM) m\u00e3 ngu\u1ed3n m\u1edf, \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n d\u1ef1a tr\u00ean SugarCRM, cung c\u1ea5p \u0111\u1ea7y \u0111\u1ee7 c\u00e1c ch\u1ee9c n\u0103ng qu\u1ea3n l\u00fd kh\u00e1ch h\u00e0ng, b\u00e1n h\u00e0ng, marketing v\u00e0 h\u1ed7 tr\u1ee3 d\u1ecbch v\u1ee5. Nh\u1edd kh\u1ea3 n\u0103ng t\u00f9y bi\u1ebfn linh ho\u1ea1t, chi ph\u00ed tri\u1ec3n khai h\u1ee3p l\u00fd v\u00e0 c\u1ed9ng […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10340","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10340"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10340\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}