SuiteCRM <= 7.11.11 (add_to_prospect_list) Broken Access Control Vulnerability

• Affected Versions:

Version 7.11.11 and prior versions.

• Vulnerability Description:

There is a Local File Inclusion vulnerability within the add_to_prospect_list() function. User input passed through the “parent_module” and “parent_type” parameters is not properly validated before being used in a call to the include() PHP function. This can be exploited to include arbitrary .php files within the webroot and potentially bypass authorization mechanisms (for instance, by setting the “parent_module” parameter to “Administration” and the “parent_type” parameter to “expandDatabase” or any other administrative action which does not implement ACL checks).

• Solution:

Update to version 7.11.12, 7.10.24, or later.

• Disclosure Timeline:

[19/09/2019] – Vendor notified

[20/09/2019] – Vendor acknowledgement

[12/11/2019] – Vendor contacted again asking for updates, no response

[20/01/2020] – Vendor notified about public disclosure intention, no response

[07/02/2020] – CVE number assigned

[12/02/2020] – Public disclosure

[14/02/2020] – Versions 7.11.12 and 7.10.24 released

• CVE Reference:

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2020-8803 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.