CVE-2020-7472
Last modified
CVE-2020-7472 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).. EPSS estimates a 3.07% chance of exploitation in the next 30 days.
Description
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sugarcrm | Sugarcrm | >= 8.0.0, < 8.0.7 |
| Sugarcrm | Sugarcrm | >= 9.0.0, < 9.0.4 |
References
- https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/Release Notes, Vendor Advisory
- https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-7472?
How severe is CVE-2020-7472?
How do I fix CVE-2020-7472?
Are you affected by CVE-2020-7472?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST