Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrFaisalfs10x55164A63-62E4-4FB6-B4CA-87ECA14F6F31
HistoryFeb 14, 2022 - 8:37 a.m.

Improper Authorization in salesagility/suitecrm

2022-02-1408:37:20
faisalfs10x
www.huntr.dev
25
suitecrm v7.12.4
employee module
user type
unauthorized access
sensitive information disclosure
vulnerability
data exposure
security issue

EPSS

0.001

Percentile

30.4%

JSON

Description

In SuiteCRM v7.12.4, affecting Employee Module, any user with the User Type as Regular User could export employee records via /index.php?entryPoint=export endpoint. The prerequisite of this attack is by knowing the user record (ID) which can be obtained in the employees’ section. The impact could lead to employee record information exposure such as User Name, Full Name, ID, Full Address, Phone Number and others.

Proof of Concept

Affected Endpoint:

1 POST http://{HOST}/index.php?entryPoint=export

~

Request file , pwd: xBCwVicbq9

Impact

This vulnerability is capable of leading to unauthorized sensitive information disclosure of relevant parties such as User Name, ID and others that can be used to orchestrate the further attack.

Related

prion 1
osv 2
nvd 1
cve 1
cvelist 1
prion
prion
Authorization
2022-03-07 13:15:00
osv
osv
CVE-2022-0756
2022-03-07 13:15:08
BIT-suitecrm-2022-0756
2024-03-06 11:08:16
nvd
nvd
CVE-2022-0756
2022-03-07 13:15:08
cve
cve
CVE-2022-0756
2022-03-07 13:15:08
cvelist
cvelist
CVE-2022-0756 Missing Authorization in salesagility/suitecrm
2022-03-07 00:00:00

EPSS

0.001

Percentile

30.4%

JSON
Related for 55164A63-62E4-4FB6-B4CA-87ECA14F6F31
prion1osv2nvd1cve1cvelist1