Back to CVE Browser

CVE-2006-2460

MEDIUM

6.4

CVSS Severity Score

EPSS Score0.1670%

EPSS Percentile25.53th

PublishedMay 19, 2006

Last ModifiedApr 16, 2026

Vulnerability Description

Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.

Affected Platforms (CPE)

📦

Sugarcrm

Sugarcrm

= 3.5

📦

Sugarcrm

Sugarcrm

= 4.0

📦

Sugarcrm

Sugarcrm

= 4.1

📦

Sugarcrm

Sugarcrm

= 4.2

References & Advisories

🔗 http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html

🔗 http://secunia.com/advisories/20072

🔗 http://securityreason.com/securityalert/921

🔗 http://securitytracker.com/id?1016087

🔗 http://www.osvdb.org/25532

🔗 http://www.securityfocus.com/archive/1/434009/100/0/threaded

🔗 http://www.securityfocus.com/bid/17987

🔗 http://www.vupen.com/english/advisories/2006/1791

Related Vulnerabilities

CVE-2004-122510.0

SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and ga...

CVE-2004-122710.0

Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and p...

CVE-2020-74729.8

An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before ...

CVE-2012-06949.8

SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute...