CVE-2009-2146

Name of the Vulnerable Software and Affected Versions Sugar Community Edition versions prior to 5.2f

Description The issue concerns an unrestricted file upload vulnerability in the Compose Email feature of the Emails module. This allows remote authenticated users to execute arbitrary code by uploading a file with a specific extension, such as .php, and then accessing it via a direct request to a modified filename under the cache/modules/Emails/ directory.

Recommendations For versions prior to 5.2f, update to version 5.2f or later to resolve the issue. As a temporary workaround, consider restricting access to the cache/modules/Emails/ directory or disabling the file upload feature in the Compose Email functionality until a patch is applied.