JavaScript Code Execution in PDF in salesagility/suitecrm

Valid

Reported on

Oct 10th 2023


Description

The application accepts PDF files with JavaScript code embedded which results in JavaScript code injection and execution. This vulnerability allows the adversary to upload PDF files with malicious content and execute them.

Proof of Concept

1. Login as a user
2. Go to Collaboration > Documents > Create Documents
3. Upload a malicious PDF file and click save
4. Go to another user account (could be admin) and view the same file and the payload will get executed
5. Repeat the same process for another malicious file

POC Video

Malicious PDF File 1

Malicious PDF File 2

JavaScript Code of Malicious PDF File 1

JavaScript Code of Malicious PDF File 2

This has been also tested on the demo. Demo POC

Impact

This vulnerability leads to JavaScript Code Execution which could make arbitrary changes to the content of the uploaded PDF and much more.

More vulnerabilities could occur according to the information mentioned here: PDF Functions

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. 4 months ago
Shahzaib Ali Khan modified the report
4 months ago
We have contacted a member of the salesagility/suitecrm team and are waiting to hear back 4 months ago
salesagility/suitecrm maintainer
4 months ago

Maintainer


Hi Shahzaib Ali Khan,

Thank you for your Security Report.

We have raised the issue from this report with our internal security team to be confirmed.

Below is a reference of the issue raised and ID allocated:

SCRMBT-#252 – Huntr.dev: JavaScript Code Execution in PDF in salesagility/suitecrm

We will review the issue and confirm whether or not it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or a more appropriate place.

Thank you for your contribution to the SuiteCRM project.

Kind regards, SuiteCRM Security Team

salesagility/suitecrm maintainer has acknowledged this report 4 months ago
Shahzaib Ali Khan modified the report
4 months ago
Shahzaib Ali Khan modified the report
4 months ago
Shahzaib
4 months ago

Researcher


Thank you - do you have any update regarding this vulnerability?

Clemente Raposo
4 months ago

Maintainer


Hi @shahzaibak96,

The Security Team has now assessed the following issue:

SCRMBT-#252 – Huntr.dev: JavaScript Code Execution in PDF in salesagility/suitecrm

This issue has been given a severity grading of 'Important'. Due to the severity of this issue we are working to release a fix for it soon.

As explained on our last email, once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Once the issue is resolved on huntr.dev a CVE will be emitted. We will then update the release notes with this CVE.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team

Clemente Raposo validated this vulnerability 4 months ago
shahzaibak96 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Shahzaib
4 months ago

Researcher


@Admin @Maintainer can you please assign CVE for my efforts, research, and motivation?

Shahzaib
4 months ago

Researcher


@maintainer Yes, you can include me in the release notes.

Clemente Raposo
4 months ago

Maintainer


Hi @shahzaibak96,

The CVE is auto-assigned when we mark the issue as fixed/resolved.

That can only be done when the fix for the issue is released.

Kind regards, SuiteCRM Security Team

Clemente Raposo marked this as fixed in 7.14.2, 7.12.14, 8.4.2 with commit 54bc56 3 months ago
Clemente Raposo has been awarded the fix bounty
This vulnerability has now been published 3 months ago
JiaSheng He
2 months ago

This is pretty amazing, and we can see it clearly in the video because Edge's pdf preview executes /JS (app.alert(1);). This vulnerability has nothing to do with suitecrm. I am wondering if suitecrm official knows what is called PDF XSS But he got $4,500 for the report. Shock!

to join this conversation