Published:2009/08/24 Last Updated:2009/08/26
JVN#31035930
SugarCRM vulnerable to SQL injection
Overview
SugarCRM contains a SQL injection vulnerability.
Products Affected
- SugarCRM Community/Professional/Enterprise Editions 5.2.0g and earlier
- SugarCRM Community/Professional/Enterprise Editions 5.0.0k and earlier
- SugarCRM Community/Professional/Enterprise Editions 4.5.1o and earlier
Description
SugarCRM is a customer relationship management (CRM) software. SugarCRM contains a SQL injection vulnerability.
Impact
As a result of SQL injection, contents within the database can be compromised.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| SugarCRM Inc. | Sugar Community Edition 5.2.0 Patch H |
| SugarCRM - Downloads - Patch Archive |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.08.24
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | login caused to be created by an administrator |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise) |
|
Credit
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2009-2978 |
| JVN iPedia |
JVNDB-2009-000056 |
Update History
- 2009/08/26
- Information under the section "Products Affected" and "Vulnerability Analysis by JPCERT/CC" have been modified.