Suite CRM v7.14.2 - RCE via LFI
9,9
Critical
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Suite CRM v7.14.2 - RCE via LFI
Code name
State
Public
Release date
19 feb 2024
Affected product
Suite CRM
Affected version(s)
Version 7.14.2
Vulnerability name
Local file inclusion (LFI)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS v3.1 base score
9.9
Exploit available
No
CVE ID(s)
Description
Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.
Vulnerability
A local file inclusion (LFI) vulnerability has been identified in Suite CRM that, under certain conditions, could allow an attacker to obtain remote command execution. The attacker must have minimum privileges.
Vulnerable path
Below I will show you the vulnerable path in code, from the source to the sink.
Evidence of exploitation
Create a product and upload a malicious image
Include the image from the previous step with the LFI to achieve RCE
Our security policy
We have reserved the ID CVE-2024-1644 to refer to this issue from now on.
System Information
Version: Suite CRM 7.14.2
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/salesagility/SuiteCRM/
Timeline
IA generativa
5 ene 2024
Vendor Confirmed Vuln.
10 ene 2024
Vendor contacted
5 ene 2024
Vendor replied
10 ene 2024
Public disclosure
19 feb 2024
