SugarSales Multiple Module Traversal Arbitrary File Access

medium Nessus Plugin ID 15950

Synopsis

The remote host is running SugarSales, a customer relationship suite written in Java and PHP.

Description

The remote version of this software has a vulnerability that may allow an attacker to read arbitrary files on the remote host with the privileges of the httpd user. The 'Users' module, 'Calls' module and index.php script are reported to be affected.

Solution

Upgrade to the newest version of this software.

Plugin Details

Severity: Medium

ID: 15950

File Name: sugarsales_file_reading.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 12/13/2004

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 12/13/2004

Reference Information

BID: 11896