In SuiteCRM v7.12.4, a malicious user can inject SQL query in order to affect the execution of predefined SQL commands impacting database leakage.
The $_POST['record']
[1] parameter is controllable by a user and it is concatenated into SQL query [2] without validating them.
Source file: https://github.com/salesagility/SuiteCRM/blob/master/modules/ProspectLists/Duplicate.php#L62
$focus->retrieve($_POST['record']); //[1]
if (isset($_POST['isDuplicate']) && $_POST['isDuplicate'] == true) {
$focus->id='';
$focus->name=$mod_strings['LBL_COPY_PREFIX'].' '.$focus->name;
$focus->save();
$return_id=$focus->id;
//duplicate the linked items.
$query = "select * from prospect_lists_prospects where prospect_list_id = '".$_POST['record']."'"; // [2]
$result = $focus->db->query($query);
This vulnerability is capable of reading sensitive database related information such as read admin password hash and existing database data.