SuiteCRM 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1929229 漏洞类型 SQL注入
发布时间 2020-02-14 更新时间 2020-03-06
CVE编号 CVE-2020-8802 CNNVD-ID CNNVD-202002-761
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020020076
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202002-761
|漏洞详情
SalesAgility SuiteCRM是一套企业级开源客户关系管理(CRM)。 SuiteCRM 7.11.11及之前版本中存在SQL注入漏洞。攻击者可利用该漏洞查看、添加、修改或删除后端数据库中的信息。
|漏洞EXP
--------------------------------------------------------------------------
SuiteCRM <= 7.11.11 (action_saveHTMLField) Bean Manipulation 
Vulnerability
--------------------------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerability Description:

The vulnerability exists because the 
"HomeController::action_saveHTMLField()" method allows
to create new beans or modify arbitrary beans' fields. This can result 
in second-order SQL
Injections or PHP Object Injection attacks.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8802 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-03



|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html


来源:seclists.org

链接:http://seclists.org/fulldisclosure/2020/Feb/5


来源:suitecrm.com

链接:https://suitecrm.com