Input validation error in SugarCRM - CVE-2011-0745
Published: March 17, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU45224
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2011-0745
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: SugarCRM Inc.
Affected software:
SugarCRM
SugarCRM
Detailed vulnerability description
The vulnerability allows a remote #AU# to gain access to sensitive information.
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.
How to mitigate CVE-2011-0745
Install update from vendor's website.
Sources
- http://securityreason.com/securityalert/8141
- http://www.redteam-pentesting.de/advisories/rt-sa-2011-002
- http://www.securityfocus.com/archive/1/517027/100/0/threaded
- http://www.securityfocus.com/bid/46885
- http://www.securitytracker.com/id?1025222
- http://www.vupen.com/english/advisories/2011/0675
- https://exchange.xforce.ibmcloud.com/vulnerabilities/66110