Security Research & Advisories

Open Redirect Vulnerability in SuiteCRM

Product SuiteCRM
Affected Version(s) 7.11.13 and probably prior and probably prior
Tested Version(s) 7.11.13
Vendor Notification 10 June 2020
Advisory Publication 10 June 2020 [without technical details]
Vendor Fix 7.11.17
Public Disclosure 05 November 2020
Latest Modification 05 November 2020
CVE Identifier CVE-2020-15300
Product Description SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Open Redirect Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-601 Status: Open
Vulnerability Description
The application SuiteCRM is affected by an open redirect vulnerability affecting version 7.11.13 and probably prior versions. This vulnerability allows attackers to redirect users to an arbitrary URL after viewing the content of a specially crafted SVG (Scalable Vector Graphics) file.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None



SuiteCRM application has an open redirect vulnerability due to the lack of content validation that specifies link to an external site. The vulnerability can be exploited by uploading a specially crafted SVG file with an external URL. Then the vulnerability is triggered when the user views the document´s content.

The following payload was successfully submitted to the server in the SVG file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
onload="window.location=''" xmlns="">

Exploitation Process

The following screenshot shows the “Documents” module which allows users to upload files.

To exploit the vulnerability, a specially crafted SVG file is needed. The following screenshot shows the content of the “redirect.svg” file. As it can be observed, the payload provides an URL where the user will be redirected to.

The screenshots below show the requests made to the server when the user uploads the SVG file.

After following the redirection, the content of the file can be displayed by clicking the “eye” symbol shown in the screenshot below:

After clicking the eye symbol, a new browser tab is opened and the user is redirected to the URL provided in the SVG file content. The following screenshots show that the “Referer” header points to the Document’s preview URL.