## https://sploitus.com/exploit?id=PACKETSTORM:156321
---------------------------------------------------------------------
SuiteCRM <= 7.11.11 Second-Order PHP Object Injection Vulnerabilities
---------------------------------------------------------------------
[-] Software Link:
https://suitecrm.com/
[-] Affected Versions:
Version 7.11.11 and prior versions.
[-] Vulnerabilities Description:
1) The vulnerability exists because the
"EmailsControllerActionGetFromFields::getEmailSignatures()” method
is using the unserialize() function with the "account_signatures” user
preference, and such a value can be
arbitrarily manipulated by evil users through the EmailUIAjax interface.
This can be exploited to inject
arbitrary PHP objects into the application scope, allowing an attacker
to perform a variety of attacks,
such as executing arbitrary PHP code.
2) The vulnerability exists because the
"EmailsControllerActionGetFromFields::handleActionGetFromFields()”
method is using the unserialize() function with the "showFolders” user
preference, and such a value can be
arbitrarily manipulated by evil users through the EmailUIAjax interface.
This can be exploited to inject
arbitrary PHP objects into the application scope, allowing an attacker
to perform a variety of attacks,
such as executing arbitrary PHP code.
[-] Solution:
No official solution is currently available.
[-] Disclosure Timeline:
[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8800 to these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2020-01