#VU45224 Input validation error in SugarCRM - CVE-2011-0745
Published: March 17, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU45224
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2011-0745
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
SugarCRM
SugarCRM
Software vendor:
SugarCRM Inc.
SugarCRM Inc.
Description
The vulnerability allows a remote #AU# to gain access to sensitive information.
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.
Remediation
Install update from vendor's website.
External links
- http://securityreason.com/securityalert/8141
- http://www.redteam-pentesting.de/advisories/rt-sa-2011-002
- http://www.securityfocus.com/archive/1/517027/100/0/threaded
- http://www.securityfocus.com/bid/46885
- http://www.securitytracker.com/id?1025222
- http://www.vupen.com/english/advisories/2011/0675
- https://exchange.xforce.ibmcloud.com/vulnerabilities/66110