SugarCRM 6.5.18 Missing Authorization

Type packetstorm
Reporter EgiX
Modified 2016-06-24T00:00:00


SugarCRM <= 6.5.18 Missing Authorization Check Vulnerabilities  
[-] Software Link:  
[-] Affected Versions:  
Version 6.5.18 CE and prior versions.  
[-] Vulnerabilities Description:  
The application fails to properly check whether the user has administrator privileges within the following scripts:  
1) /modules/Administration/ImportCustomFieldStructure.php  
2) /modules/Administration/UpgradeWizard_commit.php  
3) /modules/Connectors/controller.php ("RunTest" action)  
This can be exploited by authenticated users to access certain otherwise restricted administrative features  
or exploit further vulnerabilities within the affected scripts (e.g. a SQL injection vulnerability located  
within the ImportCustomFieldStructure.php file).  
[-] Solution:  
Update to version 6.5.19 CE or higher.  
[-] Disclosure Timeline:  
[22/10/2014] - Vendor notified  
[15/12/2014] - Version 6.5.19 CE released:  
[29/04/2015] - CVE number requested  
[23/06/2016] - Public disclosure  
[-] CVE Reference:  
The Common Vulnerabilities and Exposures project (  
has not assigned a CVE identifier for these vulnerabilities.  
[-] Credits:  
Vulnerabilities discovered by Egidio Romano.  
[-] Original Advisory: