SuiteCRM SQL Injection Vulnerability in Search Functionality
Vulnerability
A SQL injection vulnerability has been identified in SuiteCRM versions 7.14.7 and below, as well as in versions 8.0.0-beta.1 through 8.9.0. The vulnerability allows an attacker to manipulate SQL queries by crafting a malicious 'call_id', which could lead to unauthorized data access, data exfiltration, and potentially a complete database compromise. This issue arises from the application's search functionality, where injected SQL could be executed, bypassing normal query parameters and logic.
Impact
Exploitation of this vulnerability could result in arbitrary SQL execution, allowing attackers to manipulate database queries. This could lead to unauthorized data access, data exfiltration, and a complete compromise of the application's database.
Reproduction
To reproduce this vulnerability, send a request to the application's search endpoint with a crafted 'call_id' that includes malicious SQL. The injected SQL will be executed by the application's database, potentially leading to unauthorized data access or manipulation.
Remediation
Users can upgrade to SuiteCRM versions 7.14.8 or 8.9.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.