Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-17315

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-07 Oct, 2019 | 15:00
Updated At-05 Aug, 2024 | 01:40
Rejected At-
Credits

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:07 Oct, 2019 | 15:00
Updated At:05 Aug, 2024 | 01:40
Rejected At:
▼CVE Numbering Authority (CNA)

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/
x_refsource_MISC
Hyperlink: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/
x_refsource_MISC
x_transferred
Hyperlink: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:07 Oct, 2019 | 15:15
Updated At:02 Dec, 2022 | 19:24

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 7.9.0.0(inclusive) to 7.9.5.0(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 8.0.0(inclusive) to 8.0.4(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 9.0.0(inclusive) to 9.0.2(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 7.9.0.0(inclusive) to 7.9.5.0(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 8.0.0(inclusive) to 8.0.4(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 9.0.0(inclusive) to 9.0.2(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 7.9.0.0(inclusive) to 7.9.5.0(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 8.0.0(inclusive) to 8.0.4(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*
SugarCRM Inc.
sugarcrm
>>sugarcrm>>Versions from 9.0.0(inclusive) to 9.0.2(exclusive)
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1321Primarynvd@nist.gov
CWE ID: CWE-1321
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/cve@mitre.org
Vendor Advisory
Hyperlink: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/
Source: cve@mitre.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

59Records found
CVE-2019-9058
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.00% / 76.11%
||
7 Day CHG~0.00%
Published-26 Mar, 2019 | 16:40
Updated-04 Aug, 2024 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.

Action-Not Available
Vendor-n/aThe CMS Made Simple Foundation
Product-cms_made_simplen/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2019-9061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.78% / 72.76%
||
7 Day CHG~0.00%
Published-26 Mar, 2019 | 16:49
Updated-04 Aug, 2024 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CMS Made Simple 2.2.8. In the module ModuleManager (in the file action.installmodule.php), it is possible to reach an unserialize call with untrusted input and achieve authenticated object injection by using the "install module" feature.

Action-Not Available
Vendor-n/aThe CMS Made Simple Foundation
Product-cms_made_simplen/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2019-10808
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.8||HIGH
EPSS-0.76% / 72.37%
||
7 Day CHG~0.00%
Published-11 Mar, 2020 | 22:05
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.

Action-Not Available
Vendor-xcritical.softwaren/a
Product-utilitifyutilitify
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2018-6195
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.44% / 84.57%
||
7 Day CHG~0.00%
Published-30 Jan, 2018 | 20:00
Updated-05 Aug, 2024 | 05:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Action-Not Available
Vendor-splashing_images_projectn/a
Product-splashing_imagesn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2018-19274
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-21.11% / 95.44%
||
7 Day CHG~0.00%
Published-17 Nov, 2018 | 13:00
Updated-05 Aug, 2024 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.

Action-Not Available
Vendor-phpbbn/aDebian GNU/Linux
Product-phpbbdebian_linuxn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-4307
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.16% / 37.10%
||
7 Day CHG~0.00%
Published-07 Jan, 2023 | 19:28
Updated-25 Nov, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Yomguithereal Baobab prototype pollution

A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be launched remotely. Upgrading to version 2.6.1 is able to address this issue. The patch is named c56639532a923d9a1600fb863ec7551b188b5d19. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217627.

Action-Not Available
Vendor-baobab_projectYomguithereal
Product-baobabBaobab
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2024-22443
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.94% / 75.32%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 15:08
Updated-01 Aug, 2024 | 22:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-edgeconnect_sd-wan_orchestratorHPE Aruba Networking EdgeConnect SD-WAN Orchestratoredgeconnect_sd-wan_orchestrator
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-20083
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-8.8||HIGH
EPSS-7.29% / 91.28%
||
7 Day CHG~0.00%
Published-23 Apr, 2021 | 18:47
Updated-03 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype.

Action-Not Available
Vendor-jquery-plugin-query-object_projectn/a
Product-jquery-plugin-query-objectjquery-plugin-query-object
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-20085
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-8.8||HIGH
EPSS-0.55% / 66.84%
||
7 Day CHG~0.00%
Published-23 Apr, 2021 | 18:41
Updated-03 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.

Action-Not Available
Vendor-backbone-query-parameters_projectn/a
Product-backbone-query-parametersbackbone-query-parameters
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  • Previous
  • 1
  • 2
  • Next
Details not found