CVE-2020-28328
Published
CVSS v3
8.8
HIGH
CVSS v2
9
HIGH
Affected
1
PROJECT
Description
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
Writeup on CVE-2020-28328: SuiteCRM Log File Remote Code Execution plus some bonus Cross-Site Scripting
GitHub