SuiteCRM Access Control Bypass Vulnerability in Resource Calendar and Project Modules
Vulnerability
An access control bypass vulnerability has been identified in SuiteCRM versions through 7.14.7 and 8.0.0-beta.1 prior to 8.9.0. This vulnerability allows low-privileged users with restrictive roles to view and create work items in the Resource Calendar and project screens. This occurs even when the related modules—Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, and Calls—are explicitly disabled in Role Management. The issue stems from inconsistent enforcement of Access Control Lists (ACL) and Role-Based Access Control (RBAC) across different modules and views, leading to unauthorized exposure and modification of data.
Impact
Exploitation of this vulnerability allows unauthorized access to restricted records, including project names, project tasks, and resource calendar entries. Additionally, it enables low-privileged users to create new tasks within projects, disrupting project management workflows.
Remediation
Users can upgrade to SuiteCRM versions 7.14.8 or 8.9.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.