← Back

CVE-2009-2146

nvd nist
Published: Jun 22, 2009Modified: Apr 23, 2026

JSON object

Loading...
6.0
Vector
AV:N/AC:M/Au:S/C:P/I:P/A:P
Exploitability: 6.8 / Impact: 6.4
Source: NVD

Description

Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name.

Affected (9)

Products: Sugarcrm: Sugarcrm
Sugarcrm
1 product
Sugarcrm
Configuration A
9 vulnerable
Vulnerable SoftwareAffected Versions
Sugarcrm
Sugarcrm
Up to 5.2e
Sugarcrm
Version 5.0.0
Sugarcrm
Version 5.0.0h
Sugarcrm
Version 5.0.0k
Sugarcrm
Version 5.1.0-beta
Sugarcrm
Version 5.1.0
Sugarcrm
Version 5.1c
Sugarcrm
Version 5.2c
Sugarcrm
Version 5.2d

References (8)

Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Exploit
Source: cve@mitre.org
Source: cve@mitre.org
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit

Timeline

No history available yet.