CVE-2021-39267

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.11.19

Description The issue allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution, such as text/xml, are not blocked.

Recommendations For versions prior to 7.11.19, update to version 7.11.19 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary types and validating the Content-Type header to prevent malicious file uploads.