SuiteCRM 7.11.11 Broken Access Control / Local File Inclusion

2020-02-13T00:00:00
ID PACKETSTORM:156329
Type packetstorm
Reporter EgiX
Modified 2020-02-13T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------------  
SuiteCRM <= 7.11.11 (add_to_prospect_list) Broken Access Control   
Vulnerability  
------------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://suitecrm.com/  
  
  
[-] Affected Versions:  
  
Version 7.11.11 and prior versions.  
  
  
[-] Vulnerability Description:  
  
There is a Local File Inclusion vulnerability within the   
"add_to_prospect_list" function. User input  
passed through the "parent_module" and "parent_type" parameters is not   
properly validated before  
being used in a call to the include() function. This can be exploited to   
include arbitrary .php  
files within the webroot and potentially bypass authorization mechanisms   
(for instance, by setting  
the "parent_module" parameter to "Administration" and the "parent_type"   
parameter to "expandDatabase"  
or any other administrative action which does not implement ACL checks).  
  
  
[-] Solution:  
  
No official solution is currently available.  
  
  
[-] Disclosure Timeline:  
  
[19/09/2019] - Vendor notified  
[20/09/2019] - Vendor acknowledgement  
[12/11/2019] - Vendor contacted again asking for updates, no response  
[20/01/2020] - Vendor notified about public disclosure intention, no   
response  
[07/02/2020] - CVE number assigned  
[12/02/2020] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2020-8803 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2020-04  
  
  
  
`