Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[KIS-2020-05] SuiteCRM <= 7.11.10 Multiple SQL Injection Vulnerabilities

Related Vulnerabilities: CVE-2020-8804  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="6"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#7">By Date</a>
<a href="8"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="6"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#7">By Thread</a>
<a href="8"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2020-05] SuiteCRM &lt;= 7.11.10 Multiple SQL Injection Vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Egidio Romano &lt;research () karmainsecurity com&gt;


<em>Date</em>: Wed, 12 Feb 2020 20:05:38 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">----------------------------------------------------------
SuiteCRM &lt;= 7.11.10 Multiple SQL Injection Vulnerabilities
----------------------------------------------------------


[-] Software Link:

<a rel="nofollow" href="https://suitecrm.com/">https://suitecrm.com/</a>


[-] Affected Versions:

Version 7.11.10 and prior versions.


[-] Vulnerabilities Description:

</pre><tt>1) The vulnerability is located within the SOAP API, specifically into 
</tt><tt>the set_entries() SOAP
</tt><tt>function. User input passed through the "name_value_lists" parameter 
</tt><tt>(specifically the "first_name"
</tt><tt>and "last_name" elements) isn’t properly sanitized before being used to 
</tt><tt>construct a SQL query from
</tt><tt>within the check_for_duplicate_contacts() function. This can be 
</tt><tt>exploited by malicious users to e.g.
</tt><tt>read sensitive data from the database through in-bound SQL injection 
</tt><tt>attacks.
</tt><pre style="margin: 0em;">
</pre><tt>2) The vulnerability is located within the EmailUIAjax interface. User 
</tt><tt>input passed through the
</tt><tt>"bean_module" and "bean_id" parameters when handling the "addContact" 
</tt><tt>action isn’t properly sanitized
</tt><tt>before being used to construct a SQL query. This can be exploited by 
</tt><tt>malicious users to read sensitive
</tt><pre style="margin: 0em;">data from the database through boolean-based SQL injection attacks.

</pre><tt>3) The vulnerability is located within the EmailUIAjax interface. User 
</tt><tt>input passed through the
</tt><tt>"contactData" parameter when handling the "addContactsMultiple" action 
</tt><tt>isn’t properly sanitized
</tt><tt>before being used to construct a SQL query. This can be exploited by 
</tt><tt>malicious users to read
</tt><tt>sensitive data from the database through boolean-based SQL injection 
</tt><tt>attacks.
</tt><pre style="margin: 0em;">
</pre><tt>4) The vulnerability is located within the EmailUIAjax interface. User 
</tt><tt>input passed through the "ids"
</tt><tt>parameter when handling the "removeContact" action isn’t properly 
</tt><tt>sanitized before being used to
</tt><tt>construct a SQL query. This can be exploited by malicious users to read 
</tt><tt>sensitive data from the database
</tt><pre style="margin: 0em;">through time-based SQL injection attacks.

</pre><tt>5) The vulnerability is located within the MailMerge module. User input 
</tt><tt>passed through the "rel_module"
</tt><tt>parameter when handling the "search" action isn’t properly sanitized 
</tt><tt>before being used to construct a
</tt><tt>SQL query. This can be exploited by malicious users to read sensitive 
</tt><tt>data from the database through
</tt><pre style="margin: 0em;">time-based SQL injection attacks.


[-] Solution:

Upgrade to version 7.11.11 or later.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
</pre><tt>[20/01/2020] - Vendor notified about public disclosure intention, no 
</tt><tt>response
</tt><pre style="margin: 0em;">[07/02/2020] - CVE number assigned
[10/02/2020] - Version 7.11.11 released
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8804 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

<a rel="nofollow" href="http://karmainsecurity.com/KIS-2020-05">http://karmainsecurity.com/KIS-2020-05</a>


_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="6"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#7">By Date</a>
<a href="8"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="6"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#7">By Thread</a>
<a href="8"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2020-05] SuiteCRM &lt;= 7.11.10 Multiple SQL Injection Vulnerabilities</strong> <em>Egidio Romano (Feb 12)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started