CVE-2015-5946

HIGH

SuiteCRM 7.2.2 - Code Injection

Title source: llm

Description

Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.

References (3)

[Broken Link, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2016/03/02/5

[Broken Link, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/08/06/6

[Exploit, Third Party Advisory] http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html

Scores

CVSS v3 7.8

EPSS 0.0036

EPSS Percentile 58.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-184

Status published

Products (1)

sugarcrm/sugarcrm 6.5.22

Published Aug 07, 2017

Tracked Since Feb 18, 2026