Main Vulnerability Database Vulnerabilities #VU21909

#VU21909 Path traversal in SugarCRM - CVE-2019-17311

Published: October 17, 2019

Vulnerability identifier: #VU21909

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-17311

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SugarCRM

Software vendor:
SugarCRM Inc.

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the attachment function in the REST API due to input validation error when processing directory traversal sequences. A remote authenticated attacker can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.

Remediation

Install updates from vendor's website. Install Hot fix applied to 7.9.5.0 for versions 7.9.

External links

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/

#VU21909 Path traversal in SugarCRM - CVE-2019-17311

Description

Remediation

External links

Please verify you're human