SQL Injection in opportunities module in salesagility/suitecrm


Reported on

Oct 3rd 2023


During the save of the the opportunity the duplicate_parent_id is not properly validated and cleaned, which allows for injecting sql.

Proof of Concept

Add sql injection statement to opportunities duplicate_parent_id on save request.


With SQL injection a user can read and manipulate data.

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. 2 months ago
salesagility/suitecrm maintainer has acknowledged this report 2 months ago
salesagility/suitecrm maintainer validated this vulnerability 2 months ago

The Security Team have now assessed the following issue:

  • SCRMBT-#240 - Opportunities Save - SQL injection

This issue has been given a severity grading of 'Important'.

sarprt323 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
salesagility/suitecrm maintainer marked this as fixed in 7.14.1 with commit c43eaa 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
salesagility/suitecrm maintainer published this vulnerability 2 months ago
to join this conversation