Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SugarCRM 6.1.1 Privilege Restriction Bypass

🗓️ 16 Mar 2011 00:00:00Reported by redteam-pentesting.deType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 45 Views

Advisory: SugarCRM privilege restriction bypass, logged-in users can view all entries. Upgrade to SugarCRM 6.1.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2011-0745
15 Mar 201100:00
circl
CVE		CVE-2011-0745
16 Mar 201122:00
cve
Cvelist		CVE-2011-0745
16 Mar 201122:00
cvelist
EUVD		EUVD-2011-0757
7 Oct 202500:30
euvd
NVD		CVE-2011-0745
16 Mar 201122:55
nvd
Prion		Design/Logic Flaw
16 Mar 201122:55
prion
securityvulns		[RT-SA-2011-002] SugarCRM list privilege restriction bypass
15 Mar 201100:00
securityvulns
UbuntuCve		CVE-2011-0745
16 Mar 201122:55
ubuntucve
`Advisory: SugarCRM list privilege restriction bypass  
  
RedTeam Pentesting discovered a vulnerability in SugarCRM that allows  
logged in users to bypass restrictions of their list privilege, allowing  
to list all entries.  
  
  
Details  
=======  
  
Product: SugarCRM Community Edition  
SugarCRM Professional  
SugarCRM Enterprise  
Affected Versions: <= 6.1.1  
Fixed Versions: >= 6.1.3  
Vulnerability Type: privilege restriction bypass  
Security Risk: medium  
Vendor URL: http://www.sugarcrm.com/crm/  
Vendor Status: fixed version released  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-002  
Advisory Status: published  
CVE: CVE-2011-0745  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0745  
  
  
Introduction  
============  
  
SugarCRM is a customer relation management system written in  
PHP. There is a free version, Sugar Community Edition, and two  
commercial versions, Sugar Professional and Sugar Enterprise.  
  
  
More Details  
============  
  
SugarCRM supports defining so-called roles, that have a given set of  
privileges for each object type, such as customers (called "accounts"),  
calls and opportunities. A role can then be assigned to users, to which  
the defined privileges apply.  
  
These privileges, among others, include View, Edit, Delete and List. The  
List privilege controls to what extent a list of existing objects can be  
accessed. It may be set to All, Owner or None. When set to Owner, users  
to which this applies can only see the objects they own, such as  
customers assigned to them.  
  
When trying to create, for example, a new customer, SugarCRM performs a  
duplicate check and warns the user, if a customer using the same name  
already exists. The warning page includes a listing of the conflicting  
entries, regardless of their owner. Furthermore, when reloading the page  
at this point, it shows a complete list of all customers, even if the  
user's List privilege is limited to Owner. Directly accessing the URL of  
this page works in the same way. This likewise applies to contact  
entries, too.  
  
  
Proof of Concept  
================  
  
The following URL displays a list of all customers ("accounts"):  
http://www.example.org/sugarcrm/index.php?module=Accounts&action=ShowDuplicates  
  
The following URL displays a list of all contacts:  
http://www.example.org/sugarcrm/index.php?module=Contacts&action=ShowDuplicates  
  
  
Fix  
===  
  
Upgrade to SugarCRM 6.1.3.  
  
  
Security Risk  
=============  
  
This vulnerability enables logged-in users to see the names of  
customers and contact persons, they are not allowed to see. They however  
are not able to otherwise access customer or contact person entries,  
such as viewing their details. Thus the risk of this vulnerability is  
estimated as medium.  
  
The risk in a particular case varies depending on the actual  
confidentiality of customer relationships.  
  
  
History  
=======  
  
2010-09-14 Vulnerability identified  
2011-01-28 CVE number requested  
2011-02-02 CVE number assigned  
2011-02-09 Vendor notified  
2011-02-09 Vendor confirmed the vulnerability  
2011-03-10 Vendor releases fix  
2011-03-15 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Mar 2011 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.06958
sugarcrmprivilege restriction bypass6.1.16.1.3vulnerabilityredteam pentesting
45