SuiteCRM SQL Injection Vulnerability in AOR_Reports Module
Vulnerability
A SQL injection vulnerability has been identified in SuiteCRM versions prior to 7.15.1 and 8.9.3. The issue arises in the AOR_Reports module, where the 'field_function' parameter from POST data is saved into the 'aor_fields' table without proper validation. This unsanitized data is later concatenated into a SQL SELECT query when the report is executed or viewed, allowing authenticated users with Reports access to perform second-order SQL injection. Exploitation of this vulnerability could lead to the extraction of arbitrary database contents, such as password hashes, API tokens, and configuration values. Additionally, on MySQL with FILE privilege, this could result in remote code execution via SELECT INTO OUTFILE.
Impact
Exploitation allows authenticated users with Reports access to execute arbitrary SQL commands, potentially leading to unauthorized data access or modification. On MySQL with FILE privilege, this could result in remote code execution.
Remediation
Users can upgrade to SuiteCRM versions 7.15.1 or 8.9.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.