Input validation error in SugarCRM
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-0745 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
SugarCRM Web applications / CMS |
| Vendor | SugarCRM Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU45224
Risk: Low
CVSSv3.1: 1.4 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2011-0745
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsSugarCRM: 1.0 - 6.1.1
External linkshttp://securityreason.com/securityalert/8141
http://www.redteam-pentesting.de/advisories/rt-sa-2011-002
http://www.securityfocus.com/archive/1/517027/100/0/threaded
http://www.securityfocus.com/bid/46885
http://www.securitytracker.com/id?1025222
http://www.vupen.com/english/advisories/2011/0675
http://exchange.xforce.ibmcloud.com/vulnerabilities/66110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
