SuiteCRM SQL Injection Vulnerability in Email Module
Vulnerability
A SQL injection vulnerability has been identified in SuiteCRM version 7.10.7. This vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the 'parentTab' parameter. Exploitation involves sending GET requests to the email module with crafted 'parentTab' values, using boolean-based SQL injection techniques to extract sensitive information from the database.
Impact
Exploitation of this vulnerability allows for unauthorized database access and manipulation, potentially leading to the exposure of sensitive information.
Reproduction
To reproduce this vulnerability, log into SuiteCRM 7.10.7 and navigate to the email module. Once there, modify the 'parentTab' parameter in the URL to include a crafted SQL injection payload. This can be done by appending a SQL injection string that exploits boolean-based SQL injection vulnerabilities, such as one that uses conditional statements to manipulate the SQL query execution.
Remediation
Users can upgrade to SuiteCRM versions 8.9.3, 7.15.1, or 7.14.9, all of which include security patches for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.