SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g. attachments). An unauthenticated attacker could download internal files when he discovers a valid file-ID. Valid IDs could be brute-forced, but this is quite time-consuming as the file-IDs are usually UUIDs. This issue is fixed in version 7.14.7.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Suitecrm | Salesagility | 8.6.0 (including) | 8.8.1 (excluding) |
Suitecrm | Salesagility | 7.14.6 (including) | 7.14.6 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.