Main Vulnerability Database Vulnerabilities #VU21892

#VU21892 SQL injection in SugarCRM - CVE-2019-17294

Published: October 16, 2019

Vulnerability identifier: #VU21892

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-17294

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SugarCRM

Software vendor:
SugarCRM Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the export function. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website. Install Hot fix applied to 7.9.5.0 for versions 7.9.

External links

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/

#VU21892 SQL injection in SugarCRM - CVE-2019-17294

Description

Remediation

External links

Please verify you're human