Main Vulnerability Database Vulnerabilities #VU21910

#VU21910 Path traversal in SugarCRM - CVE-2019-17312

Published: October 17, 2019

Vulnerability identifier: #VU21910

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-17312

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SugarCRM

Software vendor:
SugarCRM Inc.

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the file function in the REST APIdue to input validation error when processing directory traversal sequences. A remote authenticated attacker can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.

Remediation

Install updates from vendor's website. Install Hot fix applied to 7.9.5.0 for versions 7.9.

External links

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/

#VU21910 Path traversal in SugarCRM - CVE-2019-17312

Description

Remediation

External links

Please verify you're human