SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability
• Software Link:
• Affected Versions:
All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.
• Vulnerability Description:
User input passed through the “trigger_event” parameter is not properly sanitized before being used to save PHP code into the logic_hooks.php file through the Web Logic Hooks module. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires admin privileges.
• Solution:
Update to versions 7.9.5.0, 8.0.2, 8.2.0, or later.
• Disclosure Timeline:
[30/07/2018] – Vendor notified
[25/09/2018] – Fixed versions released and security advisory published
[31/12/2018] – Publication of this advisory
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.
• Other References:
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2018-009/