CVE-2021-25960

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 7.10.29 through 7.10.31 SuiteCRM versions 7.11.18 through 7.11.19

Description The issue concerns a CSV Injection vulnerability, also known as Formula Injection, which allows a low-privileged attacker to inject payloads into input fields within the accounts module. When an administrator accesses this module to export data as a CSV file and opens it, the payload is executed. This vulnerability was not properly fixed as part of a previous security measure, enabling attackers to bypass security controls.

Recommendations For SuiteCRM versions 7.10.29 through 7.10.31, consider disabling the export functionality in the accounts module until a proper fix is available. For SuiteCRM versions 7.11.18 through 7.11.19, restrict access to the accounts module to minimize the risk of exploitation, especially when exporting data as CSV files.