sugarcrm-sa-2024-045
Advisory ID: sugarcrm-sa-2024-045
Revision: 1.0
Last Updated: 2024-09-03
Status: Final
Summary
Risk Level: Medium
Vulnerability: Local File Inclusion
Description
Two Local File Inclusion vulnerabilities have been identified in the ModuleInstall module. Using a specially crafted request, custom PHP code can be injected through the ModuleInstall module because of missing input validation. Admin user privileges can exploit these vulnerabilities.
We have not experienced any reported incidents to date related to these vulnerabilities.
Affected Products
The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.
Product | Fixed Release |
SugarCRM 14.0 Enterprise, Sell, Serve |
14.0.1 |
SugarCRM 13.0 Enterprise, Sell, Serve |
13.0.4 |
Upgrades
On-Site Customers
It is strongly recommended to upgrade the affected products to the reported fixed release version. SugarCRM maintains different releases of its products, each with specific upgrade paths. Refer to the Installation and Upgrade Guide specific to your Sugar version and product to patch your instance. Contact Sugar Support for any further inquiries regarding upgrades.
SugarCloud Customers
Customers hosted on SugarCloud will receive an upgrade automatically.
Workaround
There is no workaround available for these vulnerabilities.
Publication History
2024-10-03 | Update audience disclosure |
2024-04-18 | Internal disclosure |
A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.
Credits
These vulnerabilities have been responsibly disclosed by Cobalt.io and have been fixed by the SugarCRM Security Team.