PT-2020-16975 · Salesagility · Suitecrm

Hao Wang

Published

2020-11-06

Updated

2024-03-06

CVE-2020-28328

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.11.17

Description The issue allows for remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, the logger file name can refer to an attacker-controlled .php file under the web root.

Recommendations For versions prior to 7.11.17, update to version 7.11.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the system settings Log File Name setting to prevent admin account takeover and minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

BIT-SUITECRM-2020-28328

CVE-2020-28328

Affected Products

Suitecrm

PT-2020-16975 · Salesagility · Suitecrm

CVE-2020-28328

Weakness Enumeration

Related Identifiers

Affected Products

References · 12