SugarCRM <= 4.0 Beta Remote File Inclusion Vulnerability Network Vulnerability

Summary

The remote web server contains a PHP script that is prone to multiple flaws. Description : SugarCRM is a Customer Relationship Manager written in PHP. The version of SugarCRM installed on the remote host does not properly sanitize user input in the 'beanFiles[]' parameter in the 'acceptDecline.php' file. A attacker can use this flaw to display sensitive information and to include malicious code wich can be used to execute arbitrary commands. This vulnerability exists if 'register_globals' is enabled.

Solution

Upgrade to Sugar Suite version 3.5.1e and/or disable PHP's 'register_globals' setting.

References

http://marc.theaimsgroup.com/?l=bugtraq&m=113397762406598&w=2

Updated on 2017-03-28

Severity

Classification

CVE CVE-2005-4086, CVE-2005-4087

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Struts2 Redirection and Security Bypass Vulnerabilities
Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
AudiStat multiple vulnerabilities
AWCM CMS Multiple Remote File Include Vulnerabilities
Admbook PHP Code Injection Flaw

SugarCRM <= 4.0 beta Remote File Inclusion Vulnerability

Take action and discover your vulnerabilities