Description SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. Remediation References CVE-2019-17302 Related Vulnerabilities Jenkins Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-21690) WordPress Plugin Mobile Events Manager CSV Injection (1.4.7) WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2019-17267) XWiki Improper Encoding or Escaping of Output Vulnerability (CVE-2022-36100) WordPress Plugin Jock on air now Cross-Site Scripting (5.6.2) Severity High Classification CVE-2019-17302 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Tags Missing Update Known Vulnerabilities