SuiteCRM Privilege Escalation Vulnerability Allowing Self-Reactivation of Inactive Accounts

A privilege escalation vulnerability has been identified in SuiteCRM versions 7.14.7 and prior, as well as in versions 8.0.0-beta.1 through 8.9.0. The issue arises because user sessions remain active even after an account is deactivated. This allows inactive users to continue accessing the application and, crucially, to reactivate their accounts themselves. Such behavior undermines administrative controls and enables unauthorized persistence.

Impact

Exploitation of this vulnerability allows inactive users to regain access to their accounts and modify their status to active, thereby bypassing administrative deactivation measures.

Reproduction

To reproduce this vulnerability, deactivate a user account in SuiteCRM. The user can still access the application through an active session. Once logged in, the user can navigate to their profile, change the status back to active, and save the changes, effectively reactivating their account.

Remediation

Users can update to SuiteCRM version 7.14.8 or 8.9.1, both of which address this vulnerability by ensuring that user sessions are invalidated upon deactivation and restricting the ability to modify account statuses to administrative users only.