CVE-2020-7472

Published Nov 12, 2020

Last updated 3 years ago

CVSS critical 9.8

Overview

Description: An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F008F6E8-D4EA-46C3-B28B-1FD74907CE16",
            "versionEndExcluding": "8.0.7",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D6098509-B802-4682-A826-B4AE3E776AE7",
            "versionEndExcluding": "8.0.7",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EE1F47AF-2E32-4191-8790-1713F2D4C2FF",
            "versionEndExcluding": "8.0.7",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "57F246BD-A1C4-4175-B110-55DCDED0749E",
            "versionEndExcluding": "9.0.4",
            "versionStartIncluding": "9.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "13321C72-94F9-4849-9307-BBC0A696BB68",
            "versionEndExcluding": "9.0.4",
            "versionStartIncluding": "9.0.0"
          },
          {
            "criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "60ACA353-B7F7-4A7B-8314-7EA8B79F0F58",
            "versionEndExcluding": "9.0.4",
            "versionStartIncluding": "9.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References