As part of a service contract, Intrinsec conducted a penetration test on the SugarCRM platform, an open-source customer relationship management (CRM) software published by the American company SugarCRM. Several vulnerabilities were identified and reported to the publisher.

Indeed, multiple vulnerabilities within SugarCRM allow a user with restricted rights to elevate their privileges within the application and thus gain access to all application information. Two security bulletins have been issued by the SugarCRM security team.

sugarcrm-sa-2016-004

A lack of authorization allows an authenticated user to retrieve sensitive user information. Password hashes or user session information are accessible through the application's or Calendar module's export features.

Publisher's bulletin: https://www.sugarcrm.com/security/sugarcrm-sa-2016-004

sugarcrm-sa-2016-007

A malicious user can escalate their privileges by creating a valid administrator account using a vulnerability in the Calendar module. This action requires an account with no special privileges.

Publisher's bulletin: https://www.sugarcrm.com/security/sugarcrm-sa-2016-007

Historical

2016-05-16: Vulnerabilities discovered
2016-05-19: Notification to the publisher
2016-05-25: Confirmation of processing by the publisher
2016-07-20: Vulnerabilities patched and bulletins published