JVNDB-2009-000056

[Japanese]
JVNDB-2009-000056
SugarCRM vulnerable to SQL injection
Overview
SugarCRM contains a SQL injection vulnerability. SugarCRM is a customer relationship management (CRM) software. SugarCRM contains a SQL injection vulnerability. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 6.5 (Medium) [IPA Score] Access Vector: Local Access Complexity: Low Authentication: Single Instance Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

SugarCRM SugarCRM Community/Professional/Enterprise Editions 5.2.0g and earlier SugarCRM Community/Professional/Enterprise Editions 5.0.0k and earlier SugarCRM Community/Professional/Enterprise Editions 4.5.1o and earlier

Impact
As a result of SQL injection, contents within the database can be compromised.
Solution
[Update the Software] Update to the latest version according to the information provided by the developer.
Vendor Information
SugarCRM SugarCRM : Sugar Community Edition 5.2.0 Patch H SugarCRM : Sugar Community Edition 5.0.0l and 4.5.1p Now Available SugarCRM : Download Sugar Community Edition - 5.2.0h SugarCRM : SugarCRM - Downloads - Patch Archive
CWE (What is CWE?)
SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)
CVE-2009-2978
References
JVN : JVN#31035930 National Vulnerability Database (NVD) : CVE-2009-2978 IPA SECURITY ALERTS : Security Alert for Vulnerability in SugarCRM Secunia Advisory : SA36423 SecurityFocus : 36118 ISS X-Force Database : 52679
Revision History
[2009/08/24] Web page published


Date Public	2009/08/24
Date First Published	2009/08/24
Date Last Updated	2009/08/24

SugarCRM vulnerable to SQL injection