SuiteCRM 7.11.11 Broken Access Control / Local File Inclusion

Type packetstorm
Reporter EgiX
Modified 2020-02-13T00:00:00


SuiteCRM <= 7.11.11 (add_to_prospect_list) Broken Access Control   
[-] Software Link:  
[-] Affected Versions:  
Version 7.11.11 and prior versions.  
[-] Vulnerability Description:  
There is a Local File Inclusion vulnerability within the   
"add_to_prospect_list" function. User input  
passed through the "parent_module" and "parent_type" parameters is not   
properly validated before  
being used in a call to the include() function. This can be exploited to   
include arbitrary .php  
files within the webroot and potentially bypass authorization mechanisms   
(for instance, by setting  
the "parent_module" parameter to "Administration" and the "parent_type"   
parameter to "expandDatabase"  
or any other administrative action which does not implement ACL checks).  
[-] Solution:  
No official solution is currently available.  
[-] Disclosure Timeline:  
[19/09/2019] - Vendor notified  
[20/09/2019] - Vendor acknowledgement  
[12/11/2019] - Vendor contacted again asking for updates, no response  
[20/01/2020] - Vendor notified about public disclosure intention, no   
[07/02/2020] - CVE number assigned  
[12/02/2020] - Public disclosure  
[-] CVE Reference:  
The Common Vulnerabilities and Exposures project (  
has assigned the name CVE-2020-8803 to this vulnerability.  
[-] Credits:  
Vulnerability discovered by Egidio Romano.  
[-] Original Advisory: