SugarCRM before 8.0.4 Improper Input Validation Vulnerability

Summary

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.

Credit:

The information has been provided by Egidio Romano 

The original article can be found at:https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/

 


Details

Three Remote Code Execution issues have been identified in the MergeRecords module. Using a specially crafted request, custom PHP code can be injected through the MergeRecords module because of missing input validation. Developer user privileges are required to be able to exploit these vulnerabilities.

Vulnerable Systems:

SugarCRM before 8.0.4 

SugarCRM 9.x before 9.0.2

CVE Information:

CVE-2019-17303

Disclosure Timeline:
Published Date:10/07/2019