CVE-2024-58258

The vulnerability is an SSRF (Server Side Request Forgery) in the API module of SugarCRM, caused by missing input validation that allows limited PHP code injection. An attacker can craft a special request to inject custom PHP code, leading to server-side requests being made to arbitrary internal or external hosts. This issue affects SugarCRM Enterprise, Sell, and Serve versions before 13.0.4 and 14.x before 14.0.1 [1].

Exploitation requires an authenticated user with any privilege level. The attack is performed through the API module by sending a specially crafted request that bypasses input validation, enabling code injection. No special network position is needed beyond standard API access [1].

Successful exploitation allows an attacker to perform SSRF, potentially accessing internal services, cloud metadata endpoints, or other resources that are not intended to be exposed. This could lead to information disclosure, further compromise, or lateral movement within the environment [1].

SugarCRM has released fixed versions: 13.0.4 for the 13.x series and 14.0.1 for the 14.x series. On-premises customers should upgrade immediately; SugarCloud customers receive the update automatically. No workaround is available. The vulnerability was responsibly disclosed by HackerOne/egix [1].