logo
DATABASE RESOURCES PRICING ABOUT US

SugarCRM REST deserialization vulnerability

Description

Added: 09/23/2016 BID: [91413](<http://www.securityfocus.com/bid/91413>) ### Background [SugarCRM](<http://www.sugarcrm.com/>) is customer relationship management software written in PHP. ### Problem Improper use of the `**unserialize**` function inside the `**SugarRestSerialize.php**` script allows remote attackers to inject PHP objects, leading to arbitrary command execution. ### Resolution Upgrade to SugarCRM 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, 7.7.1.0, or higher. ### References <http://www.securityfocus.com/archive/1/538741> <http://www.sugarcrm.com/security/sugarcrm-sa-2016-008> ### Limitations Exploit works on SugarCRM 6.5.23 and requires knowledge of the URL path of the SugarCRM application.