CVE-2017-5219

Name of the Vulnerable Software and Affected Versions SageCRM versions 7.x through 7.3 SP2

Description The issue is related to the Component Manager functionality in SageCRM, which allows additional components to be added to the application. This functionality is vulnerable to unrestricted file upload, permitting an attacker to upload a specially crafted zip file. The zip file can contain a web shell that, when extracted, can traverse back out of the inf directory and into the SageCRM webroot, allowing remote interaction with the underlying filesystem with the highest privilege level, SYSTEM. This can lead to elevated privileges and impact the confidentiality, integrity, and availability of data.

Recommendations For SageCRM versions 7.x through 7.3 SP2, update to version 7.3 SP3 or later to resolve the issue. As a temporary workaround, consider disabling the Component Manager functionality until a patch is available. Restrict access to the inf directory to minimize the risk of exploitation. Avoid using the zip file upload feature in the Component Manager until the issue is resolved.