Description SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user. Remediation References CVE-2019-17306 Related Vulnerabilities Apache HTTP Server Improper Neutralization of CRLF Sequences ('CRLF Injection') Vulnerability (CVE-2016-4975) WordPress Plugin Auto Featured Image Arbitrary File Upload (1.2) WordPress Plugin WooCommerce-Store Exporter Privilege Escalation (1.8.3) GlassFish Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2008-2751) WordPress Plugin WappPress-Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute Arbitrary File Upload (5.0.3) Severity High Classification CVE-2019-17306 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Tags Missing Update Known Vulnerabilities