In SuiteCRM v7.12.4, affecting Employee Module, any user with the User Type as Regular User could export employee records via /index.php?entryPoint=export
endpoint. The prerequisite of this attack is by knowing the user record (ID) which can be obtained in the employees’ section. The impact could lead to employee record information exposure such as User Name, Full Name, ID, Full Address, Phone Number and others.
1 POST http://{HOST}/index.php?entryPoint=export
~
Request file , pwd: xBCwVicbq9
This vulnerability is capable of leading to unauthorized sensitive information disclosure of relevant parties such as User Name, ID and others that can be used to orchestrate the further attack.