SugarCRM up to 8.0.3/9.0.1 Administration input validation

Summaryinfo

A vulnerability was found in SugarCRM up to 8.0.3/9.0.1 and classified as critical. The affected element is an unknown function of the component Administration. The manipulation results in input validation. This vulnerability was named CVE-2019-17299. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in SugarCRM up to 8.0.3/9.0.1. Affected is an unknown code of the component Administration. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user.

The weakness was presented 10/07/2019. This vulnerability is traded as CVE-2019-17299 since 10/07/2019. The exploitability is told to be easy. It is possible to launch the attack remotely. A authentication is needed for exploitation. There are neither technical details nor an exploit publicly available.

Upgrading to version 8.0.4 or 9.0.2 eliminates this vulnerability.

See VDB-143032, VDB-143031, VDB-143030 and VDB-143029 for similar entries. Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• SugarCRM

Version

• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 9.0.0
• 9.0.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion