|Affected Version(s)||7.11.13 and probably prior and probably prior|
|Vendor Notification||12 June 2020|
|Advisory Publication||12 June 2020 [without technical details]|
|Public Disclosure||05 November 2020|
|Latest Modification||05 November 2020|
|Product Description||SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application|
|Credits||Luis Noriega, Security Researcher & Penetration Tester @wizlynx group|
|Stored Cross-Site Scripting (XSS) Vulnerability|
|Severity: Medium||CVSS Score: 6.1||CWE-ID: CWE-79||Status: Open|
|The application SuiteCRM is affected by a stored Cross-Site Scripting (XSS) vulnerability affecting version 7.11.13 and probably prior versions. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML by uploading a document with a crafted payload.|
|CVSS Base Score|
|Attack Complexity||Low||Confidentiality Impact||Low|
|Privileges Required||None||Integrity Impact||Low|
|User Interaction||Required||Availability Impact||Low|
SuiteCRM application has a stored Cross-Site Scripting (XSS) vulnerability due to the lack of content validation and output encoding. This vulnerability can be exploited by uploading a crafted payload inside a document. Then, the vulnerability can be triggered when the user previews the document´s content.
The following payload was successfully submitted to the server in the document´s content:
The following screenshot shows the “Documents” module which allow users to upload files.
To exploit the vulnerability, a txt file can be uploaded. The screenshot below shows the content of the “message.txt” file. As it can be observed, the payload is a simple alert which will display the message “@nogagmx”
The screenshots below show the request made to the server when the user uploads the “message.txt” file.
After following the redirection, the content of the file can be visualized by clicking on the eye symbol as shown the screenshot below:
After that, a new browser tab is opened and the payload previously injected in the document’s content is successfully executed.