https://blog.qife122.com/tags/sugarcrm/ Recent content in SugarCRM on 办公AI智能小助手 Hugo zh-cn qife Thu, 11 Sep 2025 22:50:27 +0800 https://blog.qife122.com/p/sugarcrm-14.0.0-ssrf%E4%B8%8E%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/ Thu, 11 Sep 2025 22:50:27 +0800 https://blog.qife122.com/p/sugarcrm-14.0.0-ssrf%E4%B8%8E%E4%BB%A3%E7%A0%81%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/ <h1 id="exploit-for-sugarcrm-1400---ssrfcode-injection-cve-2024-58258">Exploit for SugarCRM 14.0.0 - SSRF/Code Injection CVE-2024-58258</h1> <p>2025-07-16 | CVSS 7.2</p> <h2><a href="https://sploitus.com/exploit?id=EDB-ID:52365">https://sploitus.com/exploit?id=EDB-ID:52365</a></h2> <h1 id="exploit-title--sugarcrm-1400---ssrfcode-injection">Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection</h1> <h1 id="author-egidio-romano-aka-egix">Author: Egidio Romano aka EgiX</h1> <h1 id="email-">Email : <a href="mailto:n0b0d13s@gmail.com">n0b0d13s@gmail.com</a></h1> <h1 id="software-link">Software Link: <a href="https://www.sugarcrm.com">https://www.sugarcrm.com</a></h1> <h1 id="affected-versions-all-commercial-versions-before-1304-and-1401">Affected Versions: All commercial versions before 13.0.4 and 14.0.1.</h1> <h1 id="cve-reference-cve-2024-58258">CVE Reference: CVE-2024-58258</h1> <h1 id="vulnerability-description">Vulnerability Description:</h1> <p>通过GET参数传递给/css/preview REST API端点的用户输入在解析为LESS代码之前未经过适当清理。远程未经身份验证的攻击者可以利用此漏洞注入并执行任意LESS指令。通过滥用@import LESS语句，攻击者可以触发服务器端请求伪造（SSRF）或读取Web服务器上的任意本地文件，可能导致敏感信息泄露。</p>