SugarCRM WorkFlow PHP Code Injection

Posted by deepcore on January 4, 2019 – 6:35 am

SugarCRM versions prior to 7.9.4.0 and 7.11.0.0 suffer from a PHP code injection vulnerability in the WorkFlow module. User input passed through the $_POST[‘base_module’] parameter to the “Save” action of the WorkFlow module is not properly sanitized before being used to write data into the ‘workflow.php’ file. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Oracle Application Express AnyChart Flash-Based Cross Site Scripting [webapps] MyBB OUGC Awards Plugin 1.8.3 – Persistent Cross-Site Scripting »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

SugarCRM WorkFlow PHP Code Injection

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL