SugarCRM PHP Deserialization RCE

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

N/A

可信数据的反序列化

SugarCRM 安全漏洞

SugarCRM是美国SugarCRM公司的一套开源的客户关系管理系统（CRM）。该系统支持对不同的客户需求进行差异化营销、管理和分配销售线索，实现销售代表的信息共享和追踪。 SugarCRM存在安全漏洞，该漏洞源于对SugarRestSerialize.php中rest_data参数的反序列化验证不足，可能导致任意代码执行。以下版本受到影响：6.5.24之前版本、6.7.13之前版本、7.5.2.5之前版本、7.6.2.2之前版本和7.7.1.0之前版本。

N/A

N/A