CVE-2020-7472
CRITICALSugarCRM < 8.0.7, 9.0 < 9.0.4, 10.0 < 10.0.0 - Unauthenticated Remote Code Execution via Installation Component
Title source: llmDescription
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/
Release Notes, Vendor Advisory x_refsource_misc
https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/
Scores
CVSS v3
9.8
EPSS
0.0307
EPSS Percentile
86.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
CWE-94
Status
published
Products (1)
sugarcrm/sugarcrm
8.0.0 - 8.0.7 (3 CPE variants)
Published
Nov 12, 2020
Tracked Since
Feb 18, 2026