SuiteCRM Authenticated Arbitrary File Upload Vulnerability in Configurator Module
Vulnerability
A vulnerability allowing authenticated arbitrary file uploads has been identified in the Configurator module of SuiteCRM. This issue affects versions 7.15.0 and prior, as well as 8.9.2 and prior. The vulnerability arises because authenticated administrators can bypass file type restrictions when uploading PDF font files, enabling the upload of arbitrary files with attacker-controlled filenames to the server. While the upload directory is not typically web-accessible by default, this vulnerability disrupts security boundaries and could facilitate further attacks, especially when combined with other vulnerabilities or under certain deployment configurations.
Impact
Exploitation of this vulnerability allows for authenticated arbitrary file uploads, with the potential for uploaded files to be executed or accessed in a way that could compromise the application or server.
Remediation
Users can upgrade to SuiteCRM versions 7.15.1 or 8.9.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.