Input validation error in SugarCRM

1) Input validation error

EUVDB-ID: #VU45224

Risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2011-0745

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote #AU# to gain access to sensitive information.

SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SugarCRM: 1.0 - 6.1.1

CPE2.3

• cpe:2.3:a:sugarcrm:sugarcrm:1.0:*:*:*:*:*:*:*
• cpe:2.3:a:sugarcrm:sugarcrm:1.0f:*:*:*:*:*:*:*
• cpe:2.3:a:sugarcrm:sugarcrm:1.0g:*:*:*:*:*:*:*

External links

https://securityreason.com/securityalert/8141
https://www.redteam-pentesting.de/advisories/rt-sa-2011-002
https://www.securityfocus.com/archive/1/517027/100/0/threaded
https://www.securityfocus.com/bid/46885
https://www.securitytracker.com/id?1025222
https://www.vupen.com/english/advisories/2011/0675
https://exchange.xforce.ibmcloud.com/vulnerabilities/66110

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.