Main Vulnerability Database Vulnerabilities #VU21912

#VU21912 Path traversal in SugarCRM - CVE-2019-17314

Published: October 17, 2019

Vulnerability identifier: #VU21912

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-17314

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SugarCRM

Software vendor:
SugarCRM Inc.

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists in the Configurator module due to input validation error when processing directory traversal sequences. A remote authenticated administrator can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.

Remediation

Install updates from vendor's website. Install Hot fix applied to 7.9.5.0 for versions 7.9.

External links

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/

#VU21912 Path traversal in SugarCRM - CVE-2019-17314

Description

Remediation

External links

Please verify you're human