Description

In SuiteCRM v7.12.4, a malicious user can inject SQL query in order to affect the execution of predefined SQL commands impacting database leakage.

Proof of Concept

The $_POST['record'][1] parameter is controllable by a user and it is concatenated into SQL query [2] without validating them.

Source file: https://github.com/salesagility/SuiteCRM/blob/master/modules/ProspectLists/Duplicate.php#L62

$focus->retrieve($_POST['record']); //[1]
if (isset($_POST['isDuplicate']) && $_POST['isDuplicate'] == true) {
    $focus->id='';
    $focus->name=$mod_strings['LBL_COPY_PREFIX'].' '.$focus->name;
    
    $focus->save();
    $return_id=$focus->id;
    //duplicate the linked items.
    $query  = "select * from prospect_lists_prospects where prospect_list_id = '".$_POST['record']."'"; // [2]
    $result = $focus->db->query($query);

Impact

This vulnerability is capable of reading sensitive database related information such as read admin password hash and existing database data.