CVE-2008-2045

SugarCRM 4.5.1 and 5.0.0 - Path Traversal via URL Parameter in Feed.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2045. PoCs published by Roberto Suggi Liverani.

AI-analyzed exploit summary This is a detailed writeup describing a local file disclosure vulnerability in SugarCRM Community Edition versions 4.5.1 and 5.0.0. The flaw allows an attacker to read arbitrary local files by exploiting improper input validation in the RSS module, which creates a cached file with the contents of the specified local file.

Description

Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Roberto Suggi Liverani · textwebappsphp

https://www.exploit-db.com/exploits/5521

View Code ZIP pw:eip

This is a detailed writeup describing a local file disclosure vulnerability in SugarCRM Community Edition versions 4.5.1 and 5.0.0. The flaw allows an attacker to read arbitrary local files by exploiting improper input validation in the RSS module, which creates a cached file with the contents of the specified local file.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: SugarCRM Community Edition 4.5.1 and 5.0.0

No auth needed

Prerequisites: Access to the SugarCRM application · Ability to submit a crafted RSS feed URL

MITRE ATT&CK