CVE-2009-2146
SugarCRM 5.2.0e - Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name.
Vulnerabilidad de subida de fichero sin restricción en la caracteristica Compose Email del módulo Emails in Sugar Community Edition (también conocido como SugarCRM) versión anterior a 5.2f permite a atacantes remotos ejecutar código de su elección subiendo un fichero con una extensión ejecutable, posteriormente accediendo al fichero mediante una petición directa a un fichero modificado del directorio cache/modules/Emails/, como se ha demostrado al usar .php como el nombre completo original
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-06-15 First Exploit
- 2009-06-22 CVE Reserved
- 2009-06-22 CVE Published
- 2024-09-17 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/8949 | 2009-06-15 | |
| http://www.securityfocus.com/bid/35361 | 2024-09-17 | |
| http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt | 2024-09-17 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/35445 | 2009-06-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | <= 5.2e Search vendor "Sugarcrm" for product "Sugarcrm" and version " <= 5.2e" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.0.0 Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.0.0" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.0.0h Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.0.0h" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.0.0k Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.0.0k" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.1.0 Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.1.0" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.1.0-beta Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.1.0-beta" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.1c Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.1c" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.2c Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.2c" | sugar_community_edition |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | 5.2d Search vendor "Sugarcrm" for product "Sugarcrm" and version "5.2d" | sugar_community_edition |
Affected
| ||||||