{"id":2274,"date":"2016-08-02T10:30:37","date_gmt":"2016-08-02T08:30:37","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=2274"},"modified":"2016-08-02T10:30:37","modified_gmt":"2016-08-02T08:30:37","slug":"multiples-vulnerabilites-dans-sugarcrm","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/multiples-vulnerabilites-dans-sugarcrm\/","title":{"rendered":"Multiple vulnerabilities in SugarCRM"},"content":{"rendered":"

As part of a service contract, Intrinsec conducted a penetration test on the SugarCRM platform, an open-source customer relationship management (CRM) software published by the American company SugarCRM. Several vulnerabilities were identified and reported to the publisher.<\/p>\n

Indeed, multiple vulnerabilities within SugarCRM allow a user with restricted rights to elevate their privileges within the application and thus gain access to all application information. Two security bulletins have been issued by the SugarCRM security team.<\/p>\n

sugarcrm-sa-2016-004<\/h1>\n

A lack of authorization allows an authenticated user to retrieve sensitive user information. Password hashes or user session information are accessible through the application's or Calendar module's export features.<\/p>\n

Publisher's bulletin: https:\/\/www.sugarcrm.com\/security\/sugarcrm-sa-2016-004<\/a><\/p>\n

sugarcrm-sa-2016-007<\/h1>\n

A malicious user can escalate their privileges by creating a valid administrator account using a vulnerability in the Calendar module. This action requires an account with no special privileges.<\/p>\n

Publisher's bulletin: https:\/\/www.sugarcrm.com\/security\/sugarcrm-sa-2016-007<\/a><\/p>\n

Historical<\/h1>\n

2016-05-16: Vulnerabilities discovered
\n2016-05-19: Notification to the publisher
\n2016-05-25: Confirmation of processing by the publisher
\n2016-07-20: Vulnerabilities patched and bulletins published<\/p>","protected":false},"excerpt":{"rendered":"

As part of a service contract, Intrinsec performed a penetration test on the SugarCRM platform, [\u2026]<\/p>","protected":false},"author":1,"featured_media":2294,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,19],"tags":[],"class_list":["post-2274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-evaluation-securite","category-soc-securite-operationnelle"],"yoast_head":"\nMultiples vuln\u00e9rabilit\u00e9s dans SugarCRM - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/multiples-vulnerabilites-dans-sugarcrm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM\" \/>\n<meta property=\"og:description\" content=\"Dans le cadre d’une prestation, Intrinsec a r\u00e9alis\u00e9 un test d’intrusion sur la plateforme SugarCRM, […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/multiples-vulnerabilites-dans-sugarcrm\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-02T08:30:37+00:00\" \/>\n<meta name=\"author\" content=\"Intrinsec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Intrinsec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/\"},\"author\":{\"name\":\"Intrinsec\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\"},\"headline\":\"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM\",\"datePublished\":\"2016-08-02T08:30:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/\"},\"wordCount\":253,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"articleSection\":[\"Evaluation S\u00e9curit\u00e9\",\"SOC S\u00e9curit\u00e9 Op\u00e9rationnelle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/\",\"name\":\"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2016-08-02T08:30:37+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/multiples-vulnerabilites-dans-sugarcrm\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\",\"name\":\"Intrinsec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"caption\":\"Intrinsec\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/ufhtbqccsz\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Multiple vulnerabilities in SugarCRM - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/multiples-vulnerabilites-dans-sugarcrm\/","og_locale":"en_US","og_type":"article","og_title":"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM","og_description":"Dans le cadre d’une prestation, Intrinsec a r\u00e9alis\u00e9 un test d’intrusion sur la plateforme SugarCRM, […]","og_url":"https:\/\/www.intrinsec.com\/en\/multiples-vulnerabilites-dans-sugarcrm\/","og_site_name":"INTRINSEC","article_published_time":"2016-08-02T08:30:37+00:00","author":"Intrinsec","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Intrinsec","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/"},"author":{"name":"Intrinsec","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799"},"headline":"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM","datePublished":"2016-08-02T08:30:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/"},"wordCount":253,"commentCount":0,"image":{"@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#primaryimage"},"thumbnailUrl":"","articleSection":["Evaluation S\u00e9curit\u00e9","SOC S\u00e9curit\u00e9 Op\u00e9rationnelle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/","url":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/","name":"Multiple vulnerabilities in SugarCRM - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#primaryimage"},"thumbnailUrl":"","datePublished":"2016-08-02T08:30:37+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799"},"breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/multiples-vulnerabilites-dans-sugarcrm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Multiples vuln\u00e9rabilit\u00e9s dans SugarCRM"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799","name":"Intrinsic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","caption":"Intrinsec"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/ufhtbqccsz\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/2274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=2274"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/2274\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=2274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=2274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=2274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}