SugarCRM addLabels PHP Code Injection
Posted by deepcore on January 4, 2019 – 6:35 am
SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a PHP code injection vulnerability. User input passed through key values of the ‘labels_’ parameters is not properly sanitized before being used to save PHP code within the “ParserLabel::addLabels()” method when saving labels through the Module Builder. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
Post a reply
You must be logged in to post a comment.