CyberSec.Space Logo
Back to CVE Browser

CVE-2020-7472

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0870%
EPSS Percentile19.97th
PublishedNov 12, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).

Affected Platforms (CPE)

πŸ“¦
Sugarcrm

Sugarcrm

>= 8.0.0 and < 8.0.7
πŸ“¦
Sugarcrm

Sugarcrm

>= 8.0.0 and < 8.0.7
πŸ“¦
Sugarcrm

Sugarcrm

>= 8.0.0 and < 8.0.7
πŸ“¦
Sugarcrm

Sugarcrm

>= 9.0.0 and < 9.0.4
πŸ“¦
Sugarcrm

Sugarcrm

>= 9.0.0 and < 9.0.4
πŸ“¦
Sugarcrm

Sugarcrm

>= 9.0.0 and < 9.0.4

References & Advisories

πŸ”— https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/
πŸ”— https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/
πŸ”— https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/
πŸ”— https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/

Related Vulnerabilities

CVE-2004-122710.0

Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and p...

CVE-2004-122510.0

SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and ga...

CVE-2012-06949.8

SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute...

CVE-2014-32449.8

XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitr...