Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SugarCRM 9.0.1 Broken Access Controls

🗓️ 11 Oct 2019 00:00:00Reported by EgiXType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 292 Views

SugarCRM 9.0.1 Multiple Broken Access Control Vulnerabilities, InboundEmail, Trackers, Campaigns, ModuleBuilder, Administration, Local File Inclusio

Code
`----------------------------------------------------------------  
SugarCRM <= 9.0.1 Multiple Broken Access Control Vulnerabilities  
----------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 9.0.1 and prior versions, 8.0.3 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) There is a Broken Access Control vulnerability with regards to the   
"InboundEmail" module.  
When handling the "Save" action the application fails to properly check   
whether the user has  
Admin access to the module, thus allowing any user to create a new   
"InboundEmail" bean  
regardless of their roles/permissions.  
  
2) There is a Broken Access Control vulnerability with regards to the   
"Trackers" module.  
When handling the "trackersettings" action the application fails to   
properly check whether  
the user has Admin access to the module, thus allowing any user to   
change Trackers'  
settings regardless of their roles/permissions  
  
3) There is a Broken Access Control vulnerability with regards to the   
"Campaigns" module.  
When handling the "WizardEmailSetupSave" action the application fails to   
properly check  
whether the user has Admin access to the module, thus allowing any user   
to change Email  
Setup for Campaigns regardless of their roles/permissions.  
  
4) There is a Broken Access Control vulnerability with regards to the   
"ModuleBuilder" module.  
When the "view_module" parameter is set to an empty string, the   
application fails to properly  
check whether the user has permissions to access the module, thus   
allowing any user to access  
certain ModuleBuilder actions regardless of their roles.  
  
5) There is a Broken Access Control vulnerability with regards to the   
"Administration"  
module. When handling the "SaveMerge" action within the "MergeRecords"   
module the application  
fails to properly check whether the user is a System Administrator, thus   
allowing unauthorized  
users to inject arbitrary "Administration" beans (which means arbitrary   
values into the  
"config" database table). Successful exploitation of this vulnerability   
requires an user  
account with Developer access to any module.  
  
6) There is a Broken Access Control vulnerability with regards to the   
"Administration" module.  
When handling the "Save" action within the "EmailMan" module the   
application allows unauthorized  
users to modify administration settings by invoking the   
"Administration::saveConfig()" method.  
Successful exploitation of this vulnerability requires an user account   
with Developer access  
to the Emails or Campaigns modules.  
  
7) There is a Broken Access Control vulnerability with regards to the   
"Administration" module.  
When handling the "WizardEmailSetupSave" action within the "Campaigns"   
module the application  
allows unauthorized users to modify administration settings by invoking   
the  
"Administration::saveConfig()" method.  
  
8) There is a Local File Inclusion vulnerability within the   
"add_to_prospect_list" function.  
User input passed through the "parent_module" and "parent_type"   
parameters is not properly  
sanitized before being used in a call to the include() function. This   
can be exploited to  
include arbitrary .php files within the webroot and potentially bypass   
authorization mechanisms  
(for instance, by setting the "parent_module" parameter to   
"Administration" and the "parent_type"  
parameter to "expandDatabase" or any other action which does not   
implement ACL checks).  
  
  
[-] Solution:  
  
Upgrade to version 9.0.2, 8.0.4, or later.  
  
  
[-] Disclosure Timeline:  
  
[07/02/2019] - Vendor notified  
[01/10/2019] - Versions 9.0.2 and 8.0.4 released  
[10/10/2019] - Publication of this advisory  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2019-05  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Oct 2019 00:00Current
0.3Low risk
Vulners AI Score0.3
access controlinboundemailtrackerscampaignsmodulebuilderadministrationlocal file inclusionvulnerabilitiesupgradedisclosure timelineegidio romano
292