Description

Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.

Remediation

References

CVE-2006-2460

Related Vulnerabilities

WordPress Plugin Profile Builder-User Profile & User Registration Forms Cross-Site Scripting (3.6.1)

OpenVPN AS Other Vulnerability (CVE-2021-4234)

MySQL CVE-2022-39404 Vulnerability (CVE-2022-39404)

Undertow Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Vulnerability (CVE-2020-10687)

Joomla CVE-2020-35610 Vulnerability (CVE-2020-35610)

Severity

Medium

Classification

CVE-2006-2460

Tags

Missing Update Known Vulnerabilities