Security Research & Advisories

CSV Injection Vulnerability in SuiteCRM

Product SuiteCRM
Affected Version(s) 7.11.13 and probably prior
Tested Version(s) 7.11.13
Vendor Notification June 10, 2020
Advisory Publication June 10, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 10, 2020
CVE Identifier(s) CVE-2020-15301
Product Description SuiteCRM is a software fork of the popular Customer Relationship Management (CRM) system SugarCRM, developed and maintained by SalesAgility. It is a free and open source alternative application
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

CSV Injection Vulnerability
Severity: Medium CVSS Score: 5.4 CWE-ID: CWE-74 Status: Not Fixed
Vulnerability Description
The application SuiteCRM is affected by a CSV injection vulnerability (aka Formula Injection) affecting version 7.11.13 and probably prior versions. An attacker can use the Accounts, Contacts, Opportunities or Leads modules to inject malicious payloads in the registration fields. When an authenticated administrator uses the Download Import File Template feature to export the details of all registers into a CSV file and open it, the payload gets executed.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.