SugarCRM Web Logic Hooks Module PHP Code Injection
Posted by deepcore on January 4, 2019 – 6:35 am
SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a PHP code injection vulnerability. User input passed through the “trigger_event” parameter is not properly sanitized before being used to save PHP code into the ‘logic_hooks.php’ file through the Web Logic Hooks module. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
Post a reply
You must be logged in to post a comment.