CVE-2024-58258

| EUVD-2024-54779 HIGH
2025-07-13 [email protected]
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2024-54779
PoC Detected
Nov 03, 2025 - 20:17 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 22:15 nvd
HIGH 7.2

Tags

Code Injection SSRF Salesforce

Description

SugarCRM before 13.0.4 and 14.x before 14.0.1 allows SSRF in the API module because a limited type of code injection can occur.

Analysis

CVE-2024-58258 is a Server-Side Request Forgery (SSRF) vulnerability in SugarCRM's API module that exploits limited code injection capabilities to allow unauthenticated remote attackers to make arbitrary requests from the affected server. SugarCRM versions before 13.0.4 and 14.x before 14.0.1 are affected, potentially enabling attackers to access internal resources, cloud metadata endpoints, or perform lateral movement. The vulnerability has a CVSS 3.1 score of 7.2 (High) with network-based attack vector and no authentication required, though it does not enable direct code execution or availability impact.

Technical Context

The vulnerability stems from CWE-94 (Improper Control of Generation of Code, aka 'Code Injection') within SugarCRM's API module. The underlying issue involves insufficient input validation or output encoding when processing API requests, allowing attackers to inject limited code constructs that enable SSRF attacks. SugarCRM is a web-based Customer Relationship Management (CRM) platform built on PHP and leveraging REST API interfaces. The affected CPE strings are: cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:* (versions <13.0.4 and 14.0.0). The API module likely processes user-supplied parameters without adequate sanitization before passing them to HTTP client libraries or file operations, enabling attackers to specify arbitrary target URLs or internal resources for the server to request on their behalf.

Affected Products

[{'vendor': 'SugarCRM', 'product': 'SugarCRM', 'affected_versions': ['13.0.0 through 13.0.3', '14.0.0'], 'cpe': 'cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*', 'patched_versions': ['13.0.4 and later', '14.0.1 and later']}]

Remediation

[{'type': 'Patch', 'version': '13.0.4', 'description': 'Update SugarCRM 13.x installations to version 13.0.4 or later', 'priority': 'Critical'}, {'type': 'Patch', 'version': '14.0.1', 'description': 'Update SugarCRM 14.x installations to version 14.0.1 or later', 'priority': 'Critical'}, {'type': 'Mitigation', 'description': 'Implement network-level controls to restrict outbound HTTP/HTTPS requests from SugarCRM application servers, particularly blocking access to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254 for AWS)', 'priority': 'High'}, {'type': 'Mitigation', 'description': 'Apply API rate limiting and request validation at the SugarCRM API gateway level to restrict unusual request patterns', 'priority': 'Medium'}, {'type': 'Detection', 'description': 'Monitor API access logs for anomalous requests to internal resources or non-whitelisted external URLs; implement WAF rules to detect code injection patterns in API parameters', 'priority': 'High'}]

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.9
CVSS: +36
POC: +20

Share

CVE-2024-58258 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy