|Affected Version(s)||7.11.13 and probably prior and probably prior|
|Vendor Notification||10 June 2020|
|Advisory Publication||10 June 2020 [without technical details]|
|Public Disclosure||05 November 2020|
|Latest Modification||05 November 2020|
|Product Description||SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application|
|Credits||Luis Noriega, Security Researcher & Penetration Tester @wizlynx group|
|Open Redirect Vulnerability|
|Severity: Medium||CVSS Score: 6.1||CWE-ID: CWE-601||Status: Open|
|The application SuiteCRM is affected by an open redirect vulnerability affecting version 7.11.13 and probably prior versions. This vulnerability allows attackers to redirect users to an arbitrary URL after viewing the content of a specially crafted SVG (Scalable Vector Graphics) file.|
|CVSS Base Score|
|Attack Complexity||Low||Confidentiality Impact||Low|
|Privileges Required||None||Integrity Impact||Low|
|User Interaction||Required||Availability Impact||None|
SuiteCRM application has an open redirect vulnerability due to the lack of content validation that specifies link to an external site. The vulnerability can be exploited by uploading a specially crafted SVG file with an external URL. Then the vulnerability is triggered when the user views the document´s content.
The following payload was successfully submitted to the server in the SVG file:
The following screenshot shows the “Documents” module which allows users to upload files.
To exploit the vulnerability, a specially crafted SVG file is needed. The following screenshot shows the content of the “redirect.svg” file. As it can be observed, the payload provides an URL where the user will be redirected to.
The screenshots below show the requests made to the server when the user uploads the SVG file.
After following the redirection, the content of the file can be displayed by clicking the “eye” symbol shown in the screenshot below:
After clicking the eye symbol, a new browser tab is opened and the user is redirected to the URL provided in the SVG file content. The following screenshots show that the “Referer” header points to the Document’s preview URL.