Main Vulnerability Database Vulnerabilities #VU21917

#VU21917 SQL injection in SugarCRM - CVE-2019-17319

Published: October 17, 2019

Vulnerability identifier: #VU21917

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-17319

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SugarCRM

Software vendor:
SugarCRM Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Emails module. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website. Install Hot fix applied to 7.9.5.0 for versions 7.9.

External links

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/

#VU21917 SQL injection in SugarCRM - CVE-2019-17319

Description

Remediation

External links

Please verify you're human