The bugs allow remote attackers to implement/inject malicious script code on the application side. The vulnerabilities are located in setup and tools modules of the admin panel. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable context manipulation. Exploitation requires low user inter action & low or medium privileged user web application account.
Vulnerable Module(s):
[+] Tools -> Sound Manager -> Create sound
[+] Tools -> SugarCRM switchboard Panel -> setup
[+] Setup -> Groups -> Create Extension Group
[+] Setup -> Outgoing calls -> Create Outgoing Call rule
[+] Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route
[+] Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call
Proof of Concept:
The persistent vulnerabilities can be exploited by local low privileged user account with low or medium required user inter action.
For demonstration or reproduce ...
<div class="desc_div"><b>Description:</b> Your new password must be different than your old password.
Please try again.<br>>"<[PERSISTENT INJECTED SCRIPT CODE!]"><br/>>"<[PERSISTENT INJECTED SCRIPT
CODE!]")</ifram></iframe></div>
["1101"],"plugin_type":"system","plugin_description":"Lookup up and display contact information straight from your
SugarCRM
server.","plugin_display":"SugarCRM","plugin_name":"sugarcrm","admin_sbplugins_id":"1","proxy":"http://>\"<[PERSISTENT
INJECTED SCRIPT CODE!]")
</iframe>","uri":"http://>\"<[PERSISTENT INJECTED SCRIPT CODE!]")
{"call_through":{"internal":{}},"priority":"9","name":"test","description":">\"<[PERSISTENT INJECTED SCRIPT
CODE!]")</iframe> >\"
<[PERSISTENT INJECTED SCRIPT CODE!]>","failovers":{},"is_final":"0","pattern":"Begins with 13 and the remainder is 23
to 90 digits in length","id":"103","context_type":"USER"}],"total_items":"9"}},"allExtensions":
