Let the platform do the work

sugarcrm-sa-2024-036

Advisory ID: sugarcrm-sa-2024-036

Revision: 1.0

Last Updated: 2024-09-03

Status: Final

Summary

Risk Level: Low

Vulnerability: Stored XSS

Description

A Stored XSS vulnerability has been identified in the pmse_Inbox module. Using a specially crafted request, custom PHP code can be injected through the pmse_Inbox module because of missing input validation. Admin user privileges can exploit this vulnerability. 

We have not experienced any reported incidents to date related to this vulnerability. 

Affected Products

The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.

Product Fixed Release
SugarCRM 14.0 
Enterprise, Sell, Serve 
14.0.1
SugarCRM 13.0 
Enterprise, Sell, Serve 
13.0.4

Upgrades

On-Site Customers

It is strongly recommended to upgrade the affected products to the reported fixed release version. SugarCRM maintains different releases of its products, each with specific upgrade paths. Refer to the Installation and Upgrade Guide specific to your Sugar version and product to patch your instance. Contact Sugar Support for any further inquiries regarding upgrades.

SugarCloud Customers

Customers hosted on SugarCloud will receive an upgrade automatically. 

Workaround

There is no workaround available for this vulnerability.  

Publication History

2024-10-03 Update audience disclosure
2024-01-26 Internal disclosure

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time. 

Credits

This vulnerability has been responsibly disclosed by HackerOne/reactors08 and has been fixed by the SugarCRM Security Team.