Vulnerabilites related to SugarCRM - SugarCRM
Vulnerability from fkie_nvd
Published
2009-06-22 14:30
Modified
2024-11-21 01:04
Severity ?
Summary
Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "C30BBF2D-8BF5-4DF5-8A8A-8F066DE61FD8",
"versionEndIncluding": "5.2e",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "6FEB4B61-0F95-45CA-AB7A-BA07FF2FCA82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0h:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "B23F68DA-DFB0-42E1-959A-F7A68AA83BC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0k:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "0C7E5228-8F94-42EA-B0E0-A52E0F05A933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1.0:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "6E29C3D7-E58A-4F9D-9C2D-9215EBF9F3BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1.0-beta:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "FF69D1EA-2B23-4A9A-A535-A4C59C7DBBD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1c:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "DC04A89E-5379-41B3-BF84-87A2AEB62ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2c:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "F0114CAC-A8F4-489C-818E-DB4E068DAB99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2d:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "25E6CA5B-18F8-4C81-A436-6A7FA0E8B45D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name."
},
{
"lang": "es",
"value": "Vulnerabilidad de subida de fichero sin restricci\u00f3n en la caracteristica Compose Email del m\u00f3dulo Emails in Sugar Community Edition (tambi\u00e9n conocido como SugarCRM) versi\u00f3n anterior a 5.2f permite a atacantes remotos ejecutar c\u00f3digo de su elecci\u00f3n subiendo un fichero con una extensi\u00f3n ejecutable, posteriormente accediendo al fichero mediante una petici\u00f3n directa a un fichero modificado del directorio cache/modules/Emails/, como se ha demostrado al usar .php como el nombre completo original"
}
],
"id": "CVE-2009-2146",
"lastModified": "2024-11-21T01:04:14.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-06-22T14:30:00.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35445"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/35361"
},
{
"source": "cve@mitre.org",
"url": "http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/35361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-17 21:29
Modified
2024-11-21 03:12
Severity ?
Summary
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CF7DEB0-D9C7-4422-8632-F70D7EE23DB9",
"versionEndIncluding": "7.7.2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.26:*:*:*:community:*:*:*",
"matchCriteriaId": "D3E99EB2-05BF-4575-9170-D9014B2D6B5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD5EB33E-9B9E-4D05-928E-55D53F94A698",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "62260AB3-77B6-4E7D-9ECF-AB0871F01E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B59B76F-5141-47BE-975D-356742C13659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F20AB20-1C40-4192-8B1D-0C227681F2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2021DD4C-B55B-4C52-B46B-C71AE71E1B48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6A722A2-2DD7-4513-85B2-5DE2886D1AC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D34FE48A-1DA0-4F87-9C62-507123D070AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9DA7C251-86A8-4B1C-9296-C6008CAF65DF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest\u0026url= query string. Proper input validation has been added to mitigate this issue."
},
{
"lang": "es",
"value": "Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Community Edition 6.5.26). Existe una vulnerabilidad de inclusi\u00f3n remota de archivos en el m\u00f3dulo Connectors que permite a usuarios autenticados incluir archivos de sistema que se pueden acceder remotamente mediante una cadena de consulta module=CallRest\u0026url=. Una validaci\u00f3n de valores de entrada correcta mitigar\u00eda este problema."
}
],
"id": "CVE-2017-14509",
"lastModified": "2024-11-21T03:12:56.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-17T21:29:00.280",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/"
},
{
"source": "cve@mitre.org",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite un salto de directorio en la funci\u00f3n attachment por parte de un usuario Regular."
}
],
"id": "CVE-2019-17311",
"lastModified": "2024-11-21T04:32:03.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:13.070",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-17 21:29
Modified
2024-11-21 03:12
Severity ?
Summary
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CF7DEB0-D9C7-4422-8632-F70D7EE23DB9",
"versionEndIncluding": "7.7.2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.26:*:*:*:community:*:*:*",
"matchCriteriaId": "D3E99EB2-05BF-4575-9170-D9014B2D6B5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD5EB33E-9B9E-4D05-928E-55D53F94A698",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "62260AB3-77B6-4E7D-9ECF-AB0871F01E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B59B76F-5141-47BE-975D-356742C13659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F20AB20-1C40-4192-8B1D-0C227681F2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2021DD4C-B55B-4C52-B46B-C71AE71E1B48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6A722A2-2DD7-4513-85B2-5DE2886D1AC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D34FE48A-1DA0-4F87-9C62-507123D070AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9DA7C251-86A8-4B1C-9296-C6008CAF65DF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits."
},
{
"lang": "es",
"value": "Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Community Edition 6.5.26). Se identificaron m\u00faltiples \u00e1reas en el m\u00f3dulo Documents and Emails que podr\u00edan permitir a un usuario autenticado ejecutar inyecciones SQL, tal y como se demuestra con el car\u00e1cter barra invertida al final de un bean_id para modules/Emails/DetailView.php. Un atacante podr\u00eda explotar estas vulnerabilidades mediante el env\u00edo de una petici\u00f3n SQL manipulada a las \u00e1reas afectadas. Un exploit podr\u00eda permitir que el atacante modifique la base de datos SQL. Un escapado SQL correcto prevendr\u00eda dicho exploit."
}
],
"id": "CVE-2017-14508",
"lastModified": "2024-11-21T03:12:56.593",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-17T21:29:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/"
},
{
"source": "cve@mitre.org",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-09-24 00:55
Modified
2024-11-21 01:31
Severity ?
Summary
SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C16E5EC2-5F12-4295-A1DC-84D483B41B11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files."
},
{
"lang": "es",
"value": "SugarCRM v6.1.0 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una petici\u00f3n directa a un archivo .php, lo que revela la ruta de instalaci\u00f3n en un mensaje de error, como se demostr\u00f3 con themes/Sugar5/layout_utils.php y algunos otros archivos."
}
],
"id": "CVE-2011-3803",
"lastModified": "2024-11-21T01:31:18.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-09-24T00:55:03.333",
"references": [
{
"source": "cve@mitre.org",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "cve@mitre.org",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo pmse_Project por parte de un usuario Regular."
}
],
"id": "CVE-2019-17293",
"lastModified": "2024-11-21T04:32:01.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:11.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-22 20:15
Modified
2024-11-21 05:29
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.vulnerability-lab.com/get_content.php?id=2249 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vulnerability-lab.com/get_content.php?id=2249 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6D1FAF-2303-4975-B48C-86834E2A61F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en el m\u00f3dulo de Soporte de SugarCRM versi\u00f3n v6.5.18, permiten a atacantes ejecutar scripts web arbitrarios o HTML por medio de cargas \u00fatiles dise\u00f1adas introducidas en los campos de entrada primary address state or alternate address state"
}
],
"id": "CVE-2020-36501",
"lastModified": "2024-11-21T05:29:40.893",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-22T20:15:11.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo MergeRecords por parte de un usuario Regular."
}
],
"id": "CVE-2019-17305",
"lastModified": "2024-11-21T04:32:02.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.600",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 13:15
Modified
2024-11-21 05:07
Severity ?
Summary
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B3E1615-8E76-4223-BA4C-DB37070A6E84",
"versionEndExcluding": "10.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 10.1.0 (Q3 2020) allows XSS."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite un ataque de tipo XSS"
}
],
"id": "CVE-2020-17372",
"lastModified": "2024-11-21T05:07:57.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T13:15:10.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/7"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-16 20:29
Modified
2024-11-21 04:09
Severity ?
Summary
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://m4k4br0.github.io/sugarcrm-xss/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/43683/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://m4k4br0.github.io/sugarcrm-xss/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/43683/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6842129-2DF6-47C9-8960-BF39D1A337C5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable)."
},
{
"lang": "es",
"value": "phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de par\u00e1metro en la cadena de consulta (tambi\u00e9n conocida como variable $key)."
}
],
"id": "CVE-2018-5715",
"lastModified": "2024-11-21T04:09:14.000",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-16T20:29:00.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://m4k4br0.github.io/sugarcrm-xss/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/43683/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://m4k4br0.github.io/sugarcrm-xss/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/43683/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo Quotes por parte de un usuario Regular."
}
],
"id": "CVE-2019-17297",
"lastModified": "2024-11-21T04:32:01.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-08-27 18:30
Modified
2024-11-21 01:06
Severity ?
Summary
SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sugarcrm | sugarcrm | * | |
| sugarcrm | sugarcrm | * | |
| sugarcrm | sugarcrm | * | |
| sugarcrm | sugarcrm | 1.0 | |
| sugarcrm | sugarcrm | 1.0f | |
| sugarcrm | sugarcrm | 1.0g | |
| sugarcrm | sugarcrm | 1.1 | |
| sugarcrm | sugarcrm | 1.1a | |
| sugarcrm | sugarcrm | 1.1b | |
| sugarcrm | sugarcrm | 1.1c | |
| sugarcrm | sugarcrm | 1.1d | |
| sugarcrm | sugarcrm | 1.1e | |
| sugarcrm | sugarcrm | 1.1f | |
| sugarcrm | sugarcrm | 1.5d | |
| sugarcrm | sugarcrm | 2.0.1 | |
| sugarcrm | sugarcrm | 2.0.1a | |
| sugarcrm | sugarcrm | 2.0.1c | |
| sugarcrm | sugarcrm | 3.0.1 | |
| sugarcrm | sugarcrm | 3.5 | |
| sugarcrm | sugarcrm | 3.5.1 | |
| sugarcrm | sugarcrm | 4.0 | |
| sugarcrm | sugarcrm | 4.0.1 | |
| sugarcrm | sugarcrm | 4.1 | |
| sugarcrm | sugarcrm | 4.2 | |
| sugarcrm | sugarcrm | 4.2.1 | |
| sugarcrm | sugarcrm | 4.5.0 | |
| sugarcrm | sugarcrm | 4.5.0f | |
| sugarcrm | sugarcrm | 4.5.1 | |
| sugarcrm | sugarcrm | 5.0.0 | |
| sugarcrm | sugarcrm | 5.0.0h | |
| sugarcrm | sugarcrm | 5.2a | |
| sugarcrm | sugarcrm | 5.2c | |
| sugarcrm | sugarcrm | 5.2d | |
| sugarcrm | sugarcrm | 5.2e | |
| sugarcrm | sugarcrm | 5.2e | |
| sugarcrm | sugarcrm | 5.2f |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E53F4C99-9892-4E15-AC43-7C350F84B5D4",
"versionEndIncluding": "4.5.1o",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "5C668E68-AA42-4D18-9C9D-45D1C73F5C81",
"versionEndIncluding": "5.0.0k",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7A97B4C9-4510-4970-AD03-1106294A4FBF",
"versionEndIncluding": "5.2.0g",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4107E934-D5CF-4ABF-8CB6-0DA90F3D9A74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0f:*:*:*:*:*:*:*",
"matchCriteriaId": "85742E7F-C06C-46A5-9008-245BE6E4E0BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0g:*:*:*:*:*:*:*",
"matchCriteriaId": "B820A83B-0F03-4523-9D4D-3EB2930B35F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49FA30E3-7572-4BCC-8EFA-9D259DF892E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "AFBB2BDD-5FA2-40E1-9395-A9DED672E3FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1b:*:*:*:*:*:*:*",
"matchCriteriaId": "022D7E5E-BCBC-4E14-9C0D-50E5DD237D76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1c:*:*:*:*:*:*:*",
"matchCriteriaId": "22E73109-5473-417C-A003-7C1EE1DC3ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1d:*:*:*:*:*:*:*",
"matchCriteriaId": "F183CCFF-6D5B-43E7-A70F-E9AEA6E46880",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1e:*:*:*:*:*:*:*",
"matchCriteriaId": "1DA73438-7BA5-4668-90E2-2EECDBBB58A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1f:*:*:*:*:*:*:*",
"matchCriteriaId": "A6C3E6DF-AE5C-4D7F-99B3-16C3967A6A60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.5d:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF53885-8C5B-4654-AB42-587290E58355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A197BD9-85DD-47F2-B30B-6C7F372F6DCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "42F2BB29-5136-4F23-8D1B-0507A5FCBF13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1c:*:*:*:*:*:*:*",
"matchCriteriaId": "603F5E29-5D0B-4872-A125-D7B1CD77BACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "687D4794-4163-4EC8-9673-47E5EF216371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "12DAF9EB-FED5-482D-820E-553E9057B92E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6842129-2DF6-47C9-8960-BF39D1A337C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DF5360C-C07C-413A-9B8C-50907187DAC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DED8B842-AAEB-4227-A2D3-64229F4B9FA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4525F5B5-E268-4B50-8244-E8829C106FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "28098D0F-B3E2-470E-92B1-C9138A664496",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "35F7EFEF-004A-458A-9B3C-3B1B654C6C11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ACB97DBC-4525-4227-9698-4B05140CCAB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.0f:*:*:*:*:*:*:*",
"matchCriteriaId": "58854312-8672-4399-83FB-DF12DF6052F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "13A8BAEB-B6E3-48AF-90E8-28D7146115AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "6FEB4B61-0F95-45CA-AB7A-BA07FF2FCA82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0h:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "B23F68DA-DFB0-42E1-959A-F7A68AA83BC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "439E75C4-C02D-4905-9D73-CE27D6A54C5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2c:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF95EA0-16E7-4173-AEC8-D66A3F8FB62B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2d:*:*:*:*:*:*:*",
"matchCriteriaId": "BFA524F8-A78F-414A-A5AC-1A89901BD917",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2e:*:*:*:*:*:*:*",
"matchCriteriaId": "CFCC9802-4642-4331-9D56-4E1F76151E24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2e:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "0B6D79D5-2E61-4C1F-906B-EB16F0D97586",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2f:*:*:*:*:*:*:*",
"matchCriteriaId": "7922DB4E-9812-4636-A61D-8D201CE92D93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en SugarCRM v4.5.1o y anteriores, v5.0.0k y anteriores, y v5.2.0g y anteriores, permite a los atacantes remotos ejecutar arbitrariamente comandos SQL a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2009-2978",
"lastModified": "2024-11-21T01:06:12.317",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-08-27T18:30:00.453",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://jvn.jp/en/jp/JVN31035930/index.html"
},
{
"source": "cve@mitre.org",
"url": "http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36423"
},
{
"source": "cve@mitre.org",
"url": "http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/36118"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50907"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50953"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52679"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://jvn.jp/en/jp/JVN31035930/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/36118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50907"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52679"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en la funci\u00f3n export por parte de un usuario Regular."
}
],
"id": "CVE-2019-17294",
"lastModified": "2024-11-21T04:32:01.387",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:11.833",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo ModuleBuilder por parte de un usuario Admin."
}
],
"id": "CVE-2019-17301",
"lastModified": "2024-11-21T04:32:02.397",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.320",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-27 04:15
Modified
2024-11-21 08:29
Severity ?
Summary
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3BCEA458-0427-445A-B74A-590934520C79",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "C1C36594-3456-4BDA-BFA2-000F5EE2D7DF",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "0B003912-9B1C-47A0-A924-6F1388932016",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "09C053BA-CB75-4C39-AFA6-C6E7BDC44BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.0:*:*:*:sell:*:*:*",
"matchCriteriaId": "EDADB8E6-E436-46EF-A3C6-1482EEB24001",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.0:*:*:*:serve:*:*:*",
"matchCriteriaId": "BE19EDC5-18A6-41EC-BE08-CD2BCE7D74CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.1:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5F7DAE96-4F17-498B-9158-3CC81157C2BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.1:*:*:*:sell:*:*:*",
"matchCriteriaId": "D550659A-9E01-4548-B88B-2C6167CDDDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.1:*:*:*:serve:*:*:*",
"matchCriteriaId": "80CA0C95-E7E3-4DA1-9D3F-979BCE9E60FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. Se ha identificado una vulnerabilidad de inyecci\u00f3n de plantilla de sitio de servidor (SSTI) en la acci\u00f3n GecControl. Al utilizar una solicitud manipulada, se puede inyectar c\u00f3digo PHP personalizado a trav\u00e9s de la acci\u00f3n GetControl debido a la falta de validaci\u00f3n de entrada. Un atacante con privilegios de usuario habituales puede aprovechar esto."
}
],
"id": "CVE-2023-46816",
"lastModified": "2024-11-21T08:29:22.003",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-27T04:15:10.847",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo Emails por parte de un usuario Regular."
}
],
"id": "CVE-2019-17308",
"lastModified": "2024-11-21T04:32:03.420",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.803",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-14 16:15
Modified
2024-11-21 04:27
Severity ?
Summary
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.exploit-db.com/exploits/47247 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/47247 | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:9.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "8F9D50EB-CB02-4EF7-A9DC-077D20300BF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS."
},
{
"lang": "es",
"value": "SugarCRM Enterprise versi\u00f3n 9.0.0, permite un ataque de tipo XSS de mobile/error-not-support-platform.html? Desktop_url=."
}
],
"id": "CVE-2019-14974",
"lastModified": "2024-11-21T04:27:48.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-14T16:15:12.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/47247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/47247"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-01-10 05:00
Modified
2024-11-20 23:50
Severity ?
Summary
SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sugarcrm | sugarcrm | 1.0 | |
| sugarcrm | sugarcrm | 1.0f | |
| sugarcrm | sugarcrm | 1.0g | |
| sugarcrm | sugarcrm | 1.1 | |
| sugarcrm | sugarcrm | 1.1a | |
| sugarcrm | sugarcrm | 1.1b | |
| sugarcrm | sugarcrm | 1.1c | |
| sugarcrm | sugarcrm | 1.1d | |
| sugarcrm | sugarcrm | 1.1e | |
| sugarcrm | sugarcrm | 1.1f | |
| sugarcrm | sugarcrm | 1.5d | |
| sugarcrm | sugarcrm | 2.0.1 | |
| sugarcrm | sugarcrm | 2.0.1a |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4107E934-D5CF-4ABF-8CB6-0DA90F3D9A74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0f:*:*:*:*:*:*:*",
"matchCriteriaId": "85742E7F-C06C-46A5-9008-245BE6E4E0BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0g:*:*:*:*:*:*:*",
"matchCriteriaId": "B820A83B-0F03-4523-9D4D-3EB2930B35F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49FA30E3-7572-4BCC-8EFA-9D259DF892E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "AFBB2BDD-5FA2-40E1-9395-A9DED672E3FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1b:*:*:*:*:*:*:*",
"matchCriteriaId": "022D7E5E-BCBC-4E14-9C0D-50E5DD237D76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1c:*:*:*:*:*:*:*",
"matchCriteriaId": "22E73109-5473-417C-A003-7C1EE1DC3ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1d:*:*:*:*:*:*:*",
"matchCriteriaId": "F183CCFF-6D5B-43E7-A70F-E9AEA6E46880",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1e:*:*:*:*:*:*:*",
"matchCriteriaId": "1DA73438-7BA5-4668-90E2-2EECDBBB58A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1f:*:*:*:*:*:*:*",
"matchCriteriaId": "A6C3E6DF-AE5C-4D7F-99B3-16C3967A6A60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.5d:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF53885-8C5B-4654-AB42-587290E58355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A197BD9-85DD-47F2-B30B-6C7F372F6DCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "42F2BB29-5136-4F23-8D1B-0507A5FCBF13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality."
}
],
"id": "CVE-2004-1225",
"lastModified": "2024-11-20T23:50:24.417",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-01-10T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://www.gulftech.org/?node=research\u0026article_id=00053-120104"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/11740"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18325"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.gulftech.org/?node=research\u0026article_id=00053-120104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/11740"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18325"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-29 21:15
Modified
2024-11-21 01:35
Severity ?
Summary
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://seclists.org/bugtraq/2012/Jun/165 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/CVE-2012-0694 | Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/19381 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/bugtraq/2012/Jun/165 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2012-0694 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/19381 | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:community:*:*:*",
"matchCriteriaId": "9D295306-7B62-4E88-A98C-F182289A9F4F",
"versionEndIncluding": "6.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM CE \u003c= 6.3.1 contains scripts that use \"unserialize()\" with user controlled input which allows remote attackers to execute arbitrary PHP code."
},
{
"lang": "es",
"value": "SugarCRM CE versiones anteriores a 6.3.1 incluy\u00e9ndola, contiene scripts que usan la funci\u00f3n \"unserialize()\" con entrada controlada por el usuario lo que permite a atacantes remotos ejecutar c\u00f3digo PHP arbitrario."
}
],
"id": "CVE-2012-0694",
"lastModified": "2024-11-21T01:35:33.293",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-29T21:15:10.747",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2012/Jun/165"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-0694"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/19381"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2012/Jun/165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-0694"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/19381"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-17 22:15
Modified
2024-12-17 17:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F2920E2F-99C4-4C67-9336-BD5A02EC0E71",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "6A6F5559-F05F-43B8-A972-E06B5AD0B249",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "C2391868-9E0B-44D3-8206-B4D66FF98374",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "8165A201-F418-46B5-8574-FEECF535D00D",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "67E235C5-274C-45DD-B3E2-266E8A9E778B",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0239BDAF-6DF6-4CC7-97C6-53EB4BEFB784",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "9BC5281D-BEA4-4AE7-ACAF-5814E5E62CAC",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "539A1F9D-92B2-43A4-B28C-19B1C25B2A45",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected."
}
],
"id": "CVE-2023-35808",
"lastModified": "2024-12-17T17:15:07.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-06-17T22:15:09.477",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/174300/SugarCRM-12.2.0-Shell-Upload.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2023/Aug/26"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/174300/SugarCRM-12.2.0-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Aug/26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo MergeRecords por parte de un usuario Admin."
}
],
"id": "CVE-2019-17304",
"lastModified": "2024-11-21T04:32:02.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 15:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo pmse_Inbox por parte de un usuario Regular."
}
],
"id": "CVE-2019-17318",
"lastModified": "2024-11-21T04:32:04.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T15:15:11.090",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo Campaigns por parte de un usuario Admin."
}
],
"id": "CVE-2019-17310",
"lastModified": "2024-11-21T04:32:03.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.977",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 15:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de objetos PHP en el m\u00f3dulo Administration por parte de un usuario Admin."
}
],
"id": "CVE-2019-17315",
"lastModified": "2024-11-21T04:32:04.400",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T15:15:10.873",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo Administration por parte de un usuario Developer."
}
],
"id": "CVE-2019-17298",
"lastModified": "2024-11-21T04:32:01.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.083",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 15:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo Emails por parte de un usuario Regular."
}
],
"id": "CVE-2019-17319",
"lastModified": "2024-11-21T04:32:04.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T15:15:11.153",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-05-19 10:02
Modified
2024-11-21 00:11
Severity ?
Summary
Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "12DAF9EB-FED5-482D-820E-553E9057B92E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DF5360C-C07C-413A-9B8C-50907187DAC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4525F5B5-E268-4B50-8244-E8829C106FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "28098D0F-B3E2-470E-92B1-C9138A664496",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter."
}
],
"id": "CVE-2006-2460",
"lastModified": "2024-11-21T00:11:21.637",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-05-19T10:02:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/20072"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/921"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://securitytracker.com/id?1016087"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/25532"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/434009/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/17987"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/1791"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26451"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/1785"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/20072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/921"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://securitytracker.com/id?1016087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/25532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/434009/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/17987"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/1791"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26451"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/1785"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-25 08:29
Modified
2024-11-21 04:10
Severity ?
Summary
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf | Exploit, Technical Description, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.26:*:*:*:community:*:*:*",
"matchCriteriaId": "D3E99EB2-05BF-4575-9170-D9014B2D6B5A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\\Campaigns\\Tracker.php and modules\\Campaigns\\utils.php, the default_currency_name parameter to modules\\Configurator\\controller.php and modules\\Currencies\\Currency.php, the duplicate parameter to modules\\Contacts\\ShowDuplicates.php, the mergecur parameter to modules\\Currencies\\index.php and modules\\Opportunities\\Opportunity.php, and the load_signed_id parameter to modules\\Documents\\Document.php."
},
{
"lang": "es",
"value": "Existen m\u00faltiples inyecciones SQL en SugarCRM Community Edition 6.5.26 y anteriores mediante el par\u00e1metro track en modules\\Campaigns\\Tracker.php y modules\\Campaigns\\utils.php, el par\u00e1metro default_currency_name en modules\\Configurator\\controller.php y modules\\Currencies\\Currency.php, el par\u00e1metro duplicate en modules\\Contacts\\ShowDuplicates.php, el par\u00e1metro mergecur en modules\\Currencies\\index.php y modules\\Opportunities\\Opport2unity.php y el par\u00e1metro load_signed_id en modules\\Documents\\Document.php."
}
],
"id": "CVE-2018-6308",
"lastModified": "2024-11-21T04:10:27.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-25T08:29:00.383",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-12-23 01:28
Modified
2024-11-21 00:23
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C9341FA-4D76-4483-8890-30097CB9CBFC",
"versionEndIncluding": "4.5.0f",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en SugarCRM Open Source 4.5.0f y anteriores permite a un atacante remoto inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores no especificados en mensajes de correo manipulados."
}
],
"id": "CVE-2006-6712",
"lastModified": "2024-11-21T00:23:28.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-12-23T01:28:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"URL Repurposed"
],
"url": "http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf"
},
{
"source": "cve@mitre.org",
"url": "http://jvn.jp/jp/JVN%2374079537/index.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/23424"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1017434"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/21694"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/5100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvn.jp/jp/JVN%2374079537/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/23424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1017434"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/21694"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/5100"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo Administration por parte de un usuario Admin."
}
],
"id": "CVE-2019-17299",
"lastModified": "2024-11-21T04:32:02.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.163",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-17 21:29
Modified
2024-11-21 03:12
Severity ?
Summary
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1CF7DEB0-D9C7-4422-8632-F70D7EE23DB9",
"versionEndIncluding": "7.7.2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.26:*:*:*:community:*:*:*",
"matchCriteriaId": "D3E99EB2-05BF-4575-9170-D9014B2D6B5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD5EB33E-9B9E-4D05-928E-55D53F94A698",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "62260AB3-77B6-4E7D-9ECF-AB0871F01E52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3B59B76F-5141-47BE-975D-356742C13659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9F20AB20-1C40-4192-8B1D-0C227681F2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2021DD4C-B55B-4C52-B46B-C71AE71E1B48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A6A722A2-2DD7-4513-85B2-5DE2886D1AC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D34FE48A-1DA0-4F87-9C62-507123D070AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:7.9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9DA7C251-86A8-4B1C-9296-C6008CAF65DF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along."
},
{
"lang": "es",
"value": "Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Community Edition 6.5.26). La funcionalidad WebToLeadCapture es vulnerable a ataques Cross-Site Scripting (XSS) no autenticados. Este vector de ataque se mitiga mediante la correcta validaci\u00f3n de los valores de redirecci\u00f3n URL que se van pasando."
}
],
"id": "CVE-2017-14510",
"lastModified": "2024-11-21T03:12:56.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-17T21:29:00.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/"
},
{
"source": "cve@mitre.org",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-01-10 05:00
Modified
2024-11-20 23:50
Severity ?
Summary
SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BEBAB00-7C4B-435E-9DB9-F7E46AA1A74E",
"versionEndIncluding": "2.0.1c",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter."
}
],
"id": "CVE-2004-1226",
"lastModified": "2024-11-20T23:50:24.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-01-10T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18447"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite un salto de directorio en el m\u00f3dulo Studio por parte de un usuario Developer."
}
],
"id": "CVE-2019-17313",
"lastModified": "2024-11-21T04:32:04.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:13.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 15:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de objetos PHP en el m\u00f3dulo Import por parte de un usuario Regular."
}
],
"id": "CVE-2019-17316",
"lastModified": "2024-11-21T04:32:04.547",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T15:15:10.950",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-07 20:29
Modified
2024-11-21 02:34
Severity ?
Summary
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2015/08/06/6 | Broken Link, Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/03/02/5 | Broken Link, Mailing List, Third Party Advisory | |
| cve@mitre.org | http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2015/08/06/6 | Broken Link, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/03/02/5 | Broken Link, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "341C1FEB-7A3E-4237-B718-389738FFC153",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension."
},
{
"lang": "es",
"value": "Una vulnerabilidad de lista negra (blacklist) incompleta en SuiteCRM versi\u00f3n 7.2.2, permite a los usuarios autenticados remotos ejecutar c\u00f3digo arbitrario al cargar un archivo con una extensi\u00f3n ejecutable."
}
],
"id": "CVE-2015-5946",
"lastModified": "2024-11-21T02:34:11.200",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-07T20:29:00.480",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/03/02/5"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/03/02/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-184"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-10 21:29
Modified
2024-11-21 03:54
Severity ?
Summary
Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://twitter.com/purplemet/status/1043979681186369537 | Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/45594/ | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/purplemet/status/1043979681186369537 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/45594/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:community:*:*:*",
"matchCriteriaId": "59600861-B4EE-4578-A82A-EA981A125FA5",
"versionEndIncluding": "6.5.26",
"versionStartIncluding": "6.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en YUI y FlashCanvas, embebidos en SugarCRM Community Edition 6.5.26 podr\u00edan permitir que un atacante remoto sin autenticar lleve a cabo un ataque Cross-Site Scripting (XSS) en un sistema objetivo."
}
],
"id": "CVE-2018-17784",
"lastModified": "2024-11-21T03:54:58.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-10T21:29:02.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/purplemet/status/1043979681186369537"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45594/"
},
{
"source": "cve@mitre.org",
"url": "https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/purplemet/status/1043979681186369537"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45594/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-22 20:15
Modified
2024-11-21 05:23
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.vulnerability-lab.com/get_content.php?id=2249 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vulnerability-lab.com/get_content.php?id=2249 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6D1FAF-2303-4975-B48C-86834E2A61F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en el m\u00f3dulo de ventas de SugarCRM versi\u00f3n v6.5.18, permiten a atacantes ejecutar scripts web arbitrarios o HTML por medio de cargas \u00fatiles dise\u00f1adas introducidas en los campos de entrada the primary address state o alternate address state"
}
],
"id": "CVE-2020-28956",
"lastModified": "2024-11-21T05:23:22.810",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-22T20:15:10.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo MergeRecords por parte de un usuario Developer."
}
],
"id": "CVE-2019-17303",
"lastModified": "2024-11-21T04:32:02.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.477",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-01 17:29
Modified
2024-11-21 02:07
Severity ?
Summary
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2014/Jun/92 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/68102 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2014/Jun/92 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/68102 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56A79447-E4F2-4603-9A98-CA590019CBAF",
"versionEndExcluding": "6.5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request."
},
{
"lang": "es",
"value": "Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar c\u00f3digo arbitrario mediante un DTD manipulado en una petici\u00f3n XML."
}
],
"id": "CVE-2014-3244",
"lastModified": "2024-11-21T02:07:43.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-01T17:29:00.570",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2014/Jun/92"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/68102"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2014/Jun/92"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/68102"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 13:15
Modified
2024-11-21 05:07
Severity ?
Summary
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2020/Aug/9 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2020/Aug/9 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B3E1615-8E76-4223-BA4C-DB37070A6E84",
"versionEndExcluding": "10.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite una inyecci\u00f3n SQL"
}
],
"id": "CVE-2020-17373",
"lastModified": "2024-11-21T05:07:58.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T13:15:10.753",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/9"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-12 18:15
Modified
2024-11-21 05:37
Severity ?
Summary
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F008F6E8-D4EA-46C3-B28B-1FD74907CE16",
"versionEndExcluding": "8.0.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "D6098509-B802-4682-A826-B4AE3E776AE7",
"versionEndExcluding": "8.0.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "EE1F47AF-2E32-4191-8790-1713F2D4C2FF",
"versionEndExcluding": "8.0.7",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "57F246BD-A1C4-4175-B110-55DCDED0749E",
"versionEndExcluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "13321C72-94F9-4849-9307-BBC0A696BB68",
"versionEndExcluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "60ACA353-B7F7-4A7B-8314-7EA8B79F0F58",
"versionEndExcluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.)."
},
{
"lang": "es",
"value": "Una omisi\u00f3n de autorizaci\u00f3n y una vulnerabilidad de inclusi\u00f3n de archivos locales PHP en el componente de instalaci\u00f3n de SugarCRM versiones anteriores a 8.0, versiones 8.0 anteriores a 8.0.7, versiones 9.0 anteriores a 9.0.4 y versiones 10.0 anteriores a 10.0.0, permiten una ejecuci\u00f3n de c\u00f3digo remota no autenticado contra una instancia de SugarCRM configurada por medio de peticiones HTTP dise\u00f1adas.\u0026#xa0;(Esto es explotable incluso despu\u00e9s de que la instalaci\u00f3n es completada)"
}
],
"id": "CVE-2020-7472",
"lastModified": "2024-11-21T05:37:12.827",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-12T18:15:16.033",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en la funci\u00f3n history por parte de un usuario Regular."
}
],
"id": "CVE-2019-17295",
"lastModified": "2024-11-21T04:32:01.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:11.897",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo Administration por parte de un usuario Developer."
}
],
"id": "CVE-2019-17300",
"lastModified": "2024-11-21T04:32:02.253",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-01-01 05:00
Modified
2024-11-20 23:54
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sugarcrm | sugarcrm | 1.0 | |
| sugarcrm | sugarcrm | 1.0f | |
| sugarcrm | sugarcrm | 1.0g | |
| sugarcrm | sugarcrm | 1.1 | |
| sugarcrm | sugarcrm | 1.1a | |
| sugarcrm | sugarcrm | 1.1b | |
| sugarcrm | sugarcrm | 1.1c | |
| sugarcrm | sugarcrm | 1.1d | |
| sugarcrm | sugarcrm | 1.1e | |
| sugarcrm | sugarcrm | 1.1f | |
| sugarcrm | sugarcrm | 1.5d | |
| sugarcrm | sugarcrm | 2.0.1 | |
| sugarcrm | sugarcrm | 2.0.1a |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4107E934-D5CF-4ABF-8CB6-0DA90F3D9A74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0f:*:*:*:*:*:*:*",
"matchCriteriaId": "85742E7F-C06C-46A5-9008-245BE6E4E0BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0g:*:*:*:*:*:*:*",
"matchCriteriaId": "B820A83B-0F03-4523-9D4D-3EB2930B35F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49FA30E3-7572-4BCC-8EFA-9D259DF892E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "AFBB2BDD-5FA2-40E1-9395-A9DED672E3FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1b:*:*:*:*:*:*:*",
"matchCriteriaId": "022D7E5E-BCBC-4E14-9C0D-50E5DD237D76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1c:*:*:*:*:*:*:*",
"matchCriteriaId": "22E73109-5473-417C-A003-7C1EE1DC3ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1d:*:*:*:*:*:*:*",
"matchCriteriaId": "F183CCFF-6D5B-43E7-A70F-E9AEA6E46880",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1e:*:*:*:*:*:*:*",
"matchCriteriaId": "1DA73438-7BA5-4668-90E2-2EECDBBB58A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1f:*:*:*:*:*:*:*",
"matchCriteriaId": "A6C3E6DF-AE5C-4D7F-99B3-16C3967A6A60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.5d:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF53885-8C5B-4654-AB42-587290E58355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A197BD9-85DD-47F2-B30B-6C7F372F6DCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "42F2BB29-5136-4F23-8D1B-0507A5FCBF13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter."
}
],
"id": "CVE-2005-0266",
"lastModified": "2024-11-20T23:54:45.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-01-01T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=110461706232174\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/12113"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18719"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=110461706232174\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/12113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18719"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo Configurator por parte de un usuario Admin."
}
],
"id": "CVE-2019-17306",
"lastModified": "2024-11-21T04:32:03.137",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-05-01 19:05
Modified
2024-11-21 00:45
Severity ?
Summary
Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.1:*:community_edition:*:*:*:*:*",
"matchCriteriaId": "D0D2A567-7389-4984-BE45-414BB37CCFD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:community_edition:*:*:*:*:*",
"matchCriteriaId": "6B389680-9097-4034-9590-4F172EFFEF2E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de ruta absoluta en SugarCRM Sugar Community Edition 4.5.1 y 5.0.0, permite a atacantes remotos leer los ficheros que deseen escribiendo una ruta completa en el par\u00e1metro URL de modules/Feeds/Feed.php, esto guarda el contenido en un fichero de cach\u00e9 relacionado, en el directorio .cache/feeds."
}
],
"id": "CVE-2008-2045",
"lastModified": "2024-11-21T00:45:57.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-05-01T19:05:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30002"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3844"
},
{
"source": "cve@mitre.org",
"url": "http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/491417/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28981"
},
{
"source": "cve@mitre.org",
"url": "http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=31688"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=32252"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1388/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42087"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/5521"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3844"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/491417/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28981"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=31688"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=32252"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1388/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/5521"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo ModuleBuilder por parte de un usuario Developer."
}
],
"id": "CVE-2019-17302",
"lastModified": "2024-11-21T04:32:02.543",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-22 20:15
Modified
2024-11-21 05:23
Severity ?
Summary
SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.vulnerability-lab.com/get_content.php?id=2257 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vulnerability-lab.com/get_content.php?id=2257 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FE6D1FAF-2303-4975-B48C-86834E2A61F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields."
},
{
"lang": "es",
"value": "Se ha detectado que SugarCRM versi\u00f3n v6.5.18, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el m\u00f3dulo Create Employee. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga \u00fatil dise\u00f1ada en los campos de entrada First Name o Last Name"
}
],
"id": "CVE-2020-28955",
"lastModified": "2024-11-21T05:23:22.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-22T20:15:10.700",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2257"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo EmailMan por parte de un usuario Admin."
}
],
"id": "CVE-2019-17309",
"lastModified": "2024-11-21T04:32:03.557",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-17 22:15
Modified
2024-11-21 08:08
Severity ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F2920E2F-99C4-4C67-9336-BD5A02EC0E71",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "6A6F5559-F05F-43B8-A972-E06B5AD0B249",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "C2391868-9E0B-44D3-8206-B4D66FF98374",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "8165A201-F418-46B5-8574-FEECF535D00D",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "67E235C5-274C-45DD-B3E2-266E8A9E778B",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0239BDAF-6DF6-4CC7-97C6-53EB4BEFB784",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "9BC5281D-BEA4-4AE7-ACAF-5814E5E62CAC",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "539A1F9D-92B2-43A4-B28C-19B1C25B2A45",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en SugarCRM Enterprise antes de v11.0.6 y v12.x antes de v12.0.3. Se han identificado dos vectores de inyecci\u00f3n SQL en la API REST. Mediante el uso de peticiones manipuladas, c\u00f3digo SQL personalizado puede ser inyectado a trav\u00e9s de la API REST debido a la falta de validaci\u00f3n de entrada. Los privilegios de un usuario normal pueden utilizarse para la explotaci\u00f3n. Las ediciones distintas a Enterprise tambi\u00e9n se ven afectadas. "
}
],
"id": "CVE-2023-35811",
"lastModified": "2024-11-21T08:08:45.200",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-17T22:15:09.590",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2023/Aug/29"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Aug/29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite un salto de directorio en el m\u00f3dulo Configurator por parte de un usuario Admin."
}
],
"id": "CVE-2019-17314",
"lastModified": "2024-11-21T04:32:04.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:13.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-27 04:15
Modified
2024-11-21 08:29
Severity ?
Summary
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3BCEA458-0427-445A-B74A-590934520C79",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "C1C36594-3456-4BDA-BFA2-000F5EE2D7DF",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "0B003912-9B1C-47A0-A924-6F1388932016",
"versionEndExcluding": "12.0.4",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.0:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "09C053BA-CB75-4C39-AFA6-C6E7BDC44BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.0:*:*:*:sell:*:*:*",
"matchCriteriaId": "EDADB8E6-E436-46EF-A3C6-1482EEB24001",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.0:*:*:*:serve:*:*:*",
"matchCriteriaId": "BE19EDC5-18A6-41EC-BE08-CD2BCE7D74CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.1:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5F7DAE96-4F17-498B-9158-3CC81157C2BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.1:*:*:*:sell:*:*:*",
"matchCriteriaId": "D550659A-9E01-4548-B88B-2C6167CDDDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:13.0.1:*:*:*:serve:*:*:*",
"matchCriteriaId": "80CA0C95-E7E3-4DA1-9D3F-979BCE9E60FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. Se ha identificado una vulnerabilidad de carga de archivos sin restricciones en el m\u00f3dulo de Notas. Al utilizar una solicitud manipulada, se puede inyectar c\u00f3digo PHP personalizado a trav\u00e9s del m\u00f3dulo de Notas debido a la falta de validaci\u00f3n de entrada. Un atacante con privilegios de usuario habituales puede aprovechar esto."
}
],
"id": "CVE-2023-46815",
"lastModified": "2024-11-21T08:29:21.843",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-27T04:15:10.777",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-17 22:15
Modified
2024-11-21 08:08
Severity ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing input validation. Admin user privileges are required to exploit this vulnerability. Editions other than Enterprise are also affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F2920E2F-99C4-4C67-9336-BD5A02EC0E71",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "6A6F5559-F05F-43B8-A972-E06B5AD0B249",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "C2391868-9E0B-44D3-8206-B4D66FF98374",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "8165A201-F418-46B5-8574-FEECF535D00D",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "67E235C5-274C-45DD-B3E2-266E8A9E778B",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0239BDAF-6DF6-4CC7-97C6-53EB4BEFB784",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "9BC5281D-BEA4-4AE7-ACAF-5814E5E62CAC",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "539A1F9D-92B2-43A4-B28C-19B1C25B2A45",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing input validation. Admin user privileges are required to exploit this vulnerability. Editions other than Enterprise are also affected."
}
],
"id": "CVE-2023-35810",
"lastModified": "2024-11-21T08:08:45.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-17T22:15:09.553",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/174302/SugarCRM-12.2.0-PHP-Object-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2023/Aug/28"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/174302/SugarCRM-12.2.0-PHP-Object-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Aug/28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-03-19 19:30
Modified
2024-11-21 01:12
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2.0g:*:*:*:*:*:*:*",
"matchCriteriaId": "699A9586-0683-4DAA-9E5C-662C0630C6EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "439E75C4-C02D-4905-9D73-CE27D6A54C5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2c:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF95EA0-16E7-4173-AEC8-D66A3F8FB62B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2d:*:*:*:*:*:*:*",
"matchCriteriaId": "BFA524F8-A78F-414A-A5AC-1A89901BD917",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2e:*:*:*:*:*:*:*",
"matchCriteriaId": "CFCC9802-4642-4331-9D56-4E1F76151E24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2f:*:*:*:*:*:*:*",
"matchCriteriaId": "7922DB4E-9812-4636-A61D-8D201CE92D93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2g:*:*:*:*:*:*:*",
"matchCriteriaId": "57A8ECCF-AAEC-49B1-B474-E4DD14EE7CF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2h:*:*:*:*:*:*:*",
"matchCriteriaId": "5AC18299-07B6-46BB-93DF-E642FE637395",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B1E9C26A-6845-45C3-A801-E5F1B5B9B0E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5:beta2:*:*:*:*:*:*",
"matchCriteriaId": "EF6C4B76-D1CD-4B58-A9FF-5D35EEAC89EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3943C856-B008-4E66-802B-762D28B679A6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en la funcionalidad de documentos en l\u00ednea en SugarCRM v5.2.x anterior a v5.2.0l y v5.5.x anterior a v5.5.0a permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del campo \"Document Name\"."
}
],
"id": "CVE-2010-0465",
"lastModified": "2024-11-21T01:12:16.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-03-19T19:30:00.453",
"references": [
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/38962"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/510116/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/38772"
},
{
"source": "cve@mitre.org",
"url": "http://www.sugarcrm.com/crm/support/bugs.html?task=view\u0026caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/38962"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/510116/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/38772"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.sugarcrm.com/crm/support/bugs.html?task=view\u0026caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-17 22:15
Modified
2024-12-17 17:15
Severity ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "F2920E2F-99C4-4C67-9336-BD5A02EC0E71",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "6A6F5559-F05F-43B8-A972-E06B5AD0B249",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "C2391868-9E0B-44D3-8206-B4D66FF98374",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "8165A201-F418-46B5-8574-FEECF535D00D",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "67E235C5-274C-45DD-B3E2-266E8A9E778B",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0239BDAF-6DF6-4CC7-97C6-53EB4BEFB784",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*",
"matchCriteriaId": "9BC5281D-BEA4-4AE7-ACAF-5814E5E62CAC",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*",
"matchCriteriaId": "539A1F9D-92B2-43A4-B28C-19B1C25B2A45",
"versionEndExcluding": "12.0.3",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected."
}
],
"id": "CVE-2023-35809",
"lastModified": "2024-12-17T17:15:07.897",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-17T22:15:09.517",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2023/Aug/27"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Aug/27"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-11 09:15
Modified
2025-01-29 16:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/ | Vendor Advisory |
{
"cisaActionDue": "2023-02-23",
"cisaExploitAdd": "2023-02-02",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Multiple SugarCRM Products Remote Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8F17D00-E9D1-4E15-BBD3-E31FE0447DB2",
"versionEndExcluding": "11.0.5",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0BDB348-954D-4DE0-8453-86E8C596E5E1",
"versionEndExcluding": "12.0.2",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation."
},
{
"lang": "es",
"value": "En SugarCRM antes de la 12.0. Hotfix 91155, una solicitud manipulada puede inyectar c\u00f3digo PHP personalizado a trav\u00e9s de EmailTemplates debido a que falta una validaci\u00f3n de entrada."
}
],
"id": "CVE-2023-22952",
"lastModified": "2025-01-29T16:15:35.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-11T09:15:08.787",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite un salto de directorio en la funci\u00f3n file por parte de un usuario Regular."
}
],
"id": "CVE-2019-17312",
"lastModified": "2024-11-21T04:32:03.970",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:13.130",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo Contacts por parte de un usuario Regular."
}
],
"id": "CVE-2019-17296",
"lastModified": "2024-11-21T04:32:01.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:11.960",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n SQL en el m\u00f3dulo pmse_Inbox por parte de un usuario Admin."
}
],
"id": "CVE-2019-17292",
"lastModified": "2024-11-21T04:32:01.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:11.727",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de c\u00f3digo PHP en el m\u00f3dulo Tracker por parte de un usuario Admin."
}
],
"id": "CVE-2019-17307",
"lastModified": "2024-11-21T04:32:03.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:12.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-12-15 03:57
Modified
2024-11-21 01:33
Severity ?
Summary
Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sugarcrm | sugarcrm | 6.1.0 | |
| sugarcrm | sugarcrm | 6.1.1 | |
| sugarcrm | sugarcrm | 6.1.2 | |
| sugarcrm | sugarcrm | 6.1.3 | |
| sugarcrm | sugarcrm | 6.1.4 | |
| sugarcrm | sugarcrm | 6.1.5 | |
| sugarcrm | sugarcrm | 6.1.6 | |
| sugarcrm | sugarcrm | 6.2.0 | |
| sugarcrm | sugarcrm | 6.2.1 | |
| sugarcrm | sugarcrm | 6.2.2 | |
| sugarcrm | sugarcrm | 6.2.3 | |
| sugarcrm | sugarcrm | 6.3.0 | |
| sugarcrm | sugarcrm | 6.3.0 | |
| sugarcrm | sugarcrm | 6.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C16E5EC2-5F12-4295-A1DC-84D483B41B11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD86E19-E2CF-4A06-9A33-DD225A6014F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0E852A2C-DA3A-41AD-A3F5-8E687FF261FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2203D0CE-50B8-4B84-9243-7E9014C4B03B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF1D67F-A948-434D-BF20-C57146E057A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "895944DB-051F-4AF4-822E-FCBB2AC9740C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D8FBCC3B-8EBB-4D38-BEF2-633AB22679A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9547CE36-62A8-443D-BB64-52450F73D2BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22243D9F-63DD-48F6-AFB0-40E1F0CDC426",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2DF47CAC-2F55-4599-96D1-6844DBCE249B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DA0F7430-D811-4063-BF9C-7CCC518C2A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F02CEA83-1236-479C-AAB9-97132A258344",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D7CEE2FF-357A-479B-A43A-59C3FBB4682B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "445AB068-5FC6-4E34-9112-3DE3E81EC070",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en el m\u00f3dulo Leads en SugarCRM v6.1 antes de v6.1.7, v6.2 antes de v6.2.4, v6.3 antes de v6.3.0RC3, y v6.4 antes de v6.4.0beta1, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s de los par\u00e1metros (1) where y (2) order, en una acci\u00f3n get_full_list en index.php"
}
],
"id": "CVE-2011-4833",
"lastModified": "2024-11-21T01:33:05.513",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-12-15T03:57:34.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/47011"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://securitytracker.com/id?1026369"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/77459"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/520685/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47800"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47805"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47806"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47839"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71586"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/47011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://securitytracker.com/id?1026369"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.osvdb.org/77459"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/520685/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47805"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47839"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71586"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-03-16 22:55
Modified
2024-11-21 01:24
Severity ?
Summary
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30378EB2-8CB4-402B-86CB-5FE9521F313C",
"versionEndIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4107E934-D5CF-4ABF-8CB6-0DA90F3D9A74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0f:*:*:*:*:*:*:*",
"matchCriteriaId": "85742E7F-C06C-46A5-9008-245BE6E4E0BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.0g:*:*:*:*:*:*:*",
"matchCriteriaId": "B820A83B-0F03-4523-9D4D-3EB2930B35F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49FA30E3-7572-4BCC-8EFA-9D259DF892E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "AFBB2BDD-5FA2-40E1-9395-A9DED672E3FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1b:*:*:*:*:*:*:*",
"matchCriteriaId": "022D7E5E-BCBC-4E14-9C0D-50E5DD237D76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1c:*:*:*:*:*:*:*",
"matchCriteriaId": "22E73109-5473-417C-A003-7C1EE1DC3ABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1d:*:*:*:*:*:*:*",
"matchCriteriaId": "F183CCFF-6D5B-43E7-A70F-E9AEA6E46880",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1e:*:*:*:*:*:*:*",
"matchCriteriaId": "1DA73438-7BA5-4668-90E2-2EECDBBB58A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.1f:*:*:*:*:*:*:*",
"matchCriteriaId": "A6C3E6DF-AE5C-4D7F-99B3-16C3967A6A60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:1.5d:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF53885-8C5B-4654-AB42-587290E58355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0A197BD9-85DD-47F2-B30B-6C7F372F6DCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "42F2BB29-5136-4F23-8D1B-0507A5FCBF13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:2.0.1c:*:*:*:*:*:*:*",
"matchCriteriaId": "603F5E29-5D0B-4872-A125-D7B1CD77BACA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "687D4794-4163-4EC8-9673-47E5EF216371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "12DAF9EB-FED5-482D-820E-553E9057B92E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6842129-2DF6-47C9-8960-BF39D1A337C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DF5360C-C07C-413A-9B8C-50907187DAC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DED8B842-AAEB-4227-A2D3-64229F4B9FA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4525F5B5-E268-4B50-8244-E8829C106FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "28098D0F-B3E2-470E-92B1-C9138A664496",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "35F7EFEF-004A-458A-9B3C-3B1B654C6C11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ACB97DBC-4525-4227-9698-4B05140CCAB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.0f:*:*:*:*:*:*:*",
"matchCriteriaId": "58854312-8672-4399-83FB-DF12DF6052F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "13A8BAEB-B6E3-48AF-90E8-28D7146115AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.1:*:community_edition:*:*:*:*:*",
"matchCriteriaId": "D0D2A567-7389-4984-BE45-414BB37CCFD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.1i:*:*:*:*:*:*:*",
"matchCriteriaId": "15CE8ADA-3B44-467E-8055-62B92762EAF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:4.5.1o:*:*:*:*:*:*:*",
"matchCriteriaId": "85A12D16-AC02-4450-AAFC-192CAA5A2BD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "91EAD9ED-CB3E-495F-B62C-047604952312",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:community_edition:*:*:*:*:*",
"matchCriteriaId": "6B389680-9097-4034-9590-4F172EFFEF2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "6FEB4B61-0F95-45CA-AB7A-BA07FF2FCA82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0h:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "B23F68DA-DFB0-42E1-959A-F7A68AA83BC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.0.0k:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "0C7E5228-8F94-42EA-B0E0-A52E0F05A933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1.0:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "6E29C3D7-E58A-4F9D-9C2D-9215EBF9F3BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1.0-beta:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "FF69D1EA-2B23-4A9A-A535-A4C59C7DBBD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1c:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "DC04A89E-5379-41B3-BF84-87A2AEB62ED0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.1l:*:*:*:*:*:*:*",
"matchCriteriaId": "D9163FEC-6827-429B-A020-6728766C63BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2.0g:*:*:*:*:*:*:*",
"matchCriteriaId": "699A9586-0683-4DAA-9E5C-662C0630C6EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "439E75C4-C02D-4905-9D73-CE27D6A54C5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2c:*:*:*:*:*:*:*",
"matchCriteriaId": "6BF95EA0-16E7-4173-AEC8-D66A3F8FB62B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2c:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "F0114CAC-A8F4-489C-818E-DB4E068DAB99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2d:*:*:*:*:*:*:*",
"matchCriteriaId": "BFA524F8-A78F-414A-A5AC-1A89901BD917",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2d:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "25E6CA5B-18F8-4C81-A436-6A7FA0E8B45D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2e:*:*:*:*:*:*:*",
"matchCriteriaId": "CFCC9802-4642-4331-9D56-4E1F76151E24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2e:*:sugar_community_edition:*:*:*:*:*",
"matchCriteriaId": "0B6D79D5-2E61-4C1F-906B-EB16F0D97586",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2f:*:*:*:*:*:*:*",
"matchCriteriaId": "7922DB4E-9812-4636-A61D-8D201CE92D93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2g:*:*:*:*:*:*:*",
"matchCriteriaId": "57A8ECCF-AAEC-49B1-B474-E4DD14EE7CF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.2h:*:*:*:*:*:*:*",
"matchCriteriaId": "5AC18299-07B6-46BB-93DF-E642FE637395",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B1E9C26A-6845-45C3-A801-E5F1B5B9B0E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5:beta2:*:*:*:*:*:*",
"matchCriteriaId": "EF6C4B76-D1CD-4B58-A9FF-5D35EEAC89EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3943C856-B008-4E66-802B-762D28B679A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D61D60F9-F47C-4956-A9DF-594526C55B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CCCDE64A-8C40-4238-B6FA-EA28A39A056A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "33762867-534A-4F49-83B5-A80AE73A43E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2F806383-1275-4E86-8791-034E146CC02A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:5.5a:*:*:*:*:*:*:*",
"matchCriteriaId": "28A03CF9-79B6-4CD2-A3E0-03B7C14DCC27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "850E98DE-3286-4C33-8C79-DE184110078E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "07F0B26C-9EF8-4EB0-817C-D17EA0DECF53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "976A3FCD-FFCA-4881-A27D-67557A469EB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1F96B0CB-2C92-4785-8BCA-1FC27F05C015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C16E5EC2-5F12-4295-A1DC-84D483B41B11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD86E19-E2CF-4A06-9A33-DD225A6014F8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php."
},
{
"lang": "es",
"value": "SugarCRM en versiones anteriores a la 6.1.3 no maneja apropiadamente las recargas y peticiones directas de una p\u00e1gina de advertencia producida por una comprobaci\u00f3n de duplicidad (\"check duplicate\") determinada, lo que permite a usuarios autenticados remotos averiguar (1) los nombres de clientes a trav\u00e9s una acci\u00f3n ShowDuplicates del m\u00f3dulo Accounts, a la que se puede acceder trav\u00e9s de index.php; o (2) los nombres de personas de contacto a trav\u00e9s de una acci\u00f3n ShowDuplicates del m\u00f3dulo Contacts, a la que se puede acceder trav\u00e9s de index.php."
}
],
"id": "CVE-2011-0745",
"lastModified": "2024-11-21T01:24:45.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-03-16T22:55:02.980",
"references": [
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/8141"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.redteam-pentesting.de/advisories/rt-sa-2011-002"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/517027/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/46885"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1025222"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0675"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8141"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.redteam-pentesting.de/advisories/rt-sa-2011-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/517027/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0675"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66110"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 15:15
Modified
2024-11-21 04:32
Severity ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "1B04977C-4203-46B6-AFEC-DDC475599915",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "950CD2A5-AB97-48B5-8814-C4FA04E1CF56",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0186BAF9-4F9D-4FA6-BBEA-4D294C46BC1A",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "278B920A-8E0D-4EC3-9257-EA52CEEC6689",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A34C90AE-CE93-455B-8787-8867D2805C91",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*",
"matchCriteriaId": "A974438A-0523-46F0-8F2B-D61E16496620",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "FA13DFD9-EB4C-43FB-9473-6A64EBE1FA62",
"versionEndExcluding": "7.9.5.0",
"versionStartIncluding": "7.9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "950BD871-DF3E-4A73-A7E2-F4817A7BDE00",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*",
"matchCriteriaId": "D36D9FBD-109A-44F1-B3C2-8A3B1646BE1C",
"versionEndExcluding": "9.0.2",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user."
},
{
"lang": "es",
"value": "SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyecci\u00f3n de objetos PHP en el m\u00f3dulo UpgradeWizard por parte de un usuario Admin."
}
],
"id": "CVE-2019-17317",
"lastModified": "2024-11-21T04:32:04.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T15:15:11.013",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2019-17298
Vulnerability from cvelistv5
Published
2019-10-07 15:05
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:05:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17298",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17298",
"datePublished": "2019-10-07T15:05:16",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2004-1225
Vulnerability from cvelistv5
Published
2004-12-15 05:00
Modified
2024-08-08 00:46
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=bugtraq&m=110295433323795&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/11740 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/18325 | vdb-entry, x_refsource_XF | |
| http://www.gulftech.org/?node=research&article_id=00053-120104 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:46:11.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20041213 SugarSales Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"name": "11740",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/11740"
},
{
"name": "sugarcrm-record-sql-injection(18325)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18325"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.gulftech.org/?node=research\u0026article_id=00053-120104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20041213 SugarSales Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"name": "11740",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/11740"
},
{
"name": "sugarcrm-record-sql-injection(18325)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18325"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.gulftech.org/?node=research\u0026article_id=00053-120104"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-1225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20041213 SugarSales Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"name": "11740",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/11740"
},
{
"name": "sugarcrm-record-sql-injection(18325)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18325"
},
{
"name": "http://www.gulftech.org/?node=research\u0026article_id=00053-120104",
"refsource": "MISC",
"url": "http://www.gulftech.org/?node=research\u0026article_id=00053-120104"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-1225",
"datePublished": "2004-12-15T05:00:00",
"dateReserved": "2004-12-14T00:00:00",
"dateUpdated": "2024-08-08T00:46:11.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14508
Vulnerability from cvelistv5
Published
2017-09-17 21:00
Modified
2024-08-05 19:27
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM | x_refsource_CONFIRM | |
| https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/ | x_refsource_MISC | |
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:27:40.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-29T13:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM",
"refsource": "CONFIRM",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"name": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
},
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14508",
"datePublished": "2017-09-17T21:00:00",
"dateReserved": "2017-09-17T00:00:00",
"dateUpdated": "2024-08-05T19:27:40.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-0266
Vulnerability from cvelistv5
Published
2005-02-10 05:00
Modified
2024-08-07 21:05
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=bugtraq&m=110461706232174&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/12113 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/18719 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T21:05:25.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110461706232174\u0026w=2"
},
{
"name": "12113",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/12113"
},
{
"name": "sugar-sales-index-xss(18719)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18719"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-01-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110461706232174\u0026w=2"
},
{
"name": "12113",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/12113"
},
{
"name": "sugar-sales-index-xss(18719)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18719"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-0266",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=110461706232174\u0026w=2"
},
{
"name": "12113",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/12113"
},
{
"name": "sugar-sales-index-xss(18719)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18719"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-0266",
"datePublished": "2005-02-10T05:00:00",
"dateReserved": "2005-02-10T00:00:00",
"dateUpdated": "2024-08-07T21:05:25.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-2146
Vulnerability from cvelistv5
Published
2009-06-22 14:00
Modified
2024-09-17 04:25
Severity ?
EPSS score ?
Summary
Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf | x_refsource_CONFIRM | |
| http://secunia.com/advisories/35445 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt | x_refsource_MISC | |
| http://www.securityfocus.com/bid/35361 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:36:21.014Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf"
},
{
"name": "35445",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/35445"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt"
},
{
"name": "35361",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/35361"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-06-22T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf"
},
{
"name": "35445",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/35445"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt"
},
{
"name": "35361",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/35361"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-2146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf",
"refsource": "CONFIRM",
"url": "http://www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdf"
},
{
"name": "35445",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/35445"
},
{
"name": "http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt",
"refsource": "MISC",
"url": "http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt"
},
{
"name": "35361",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/35361"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-2146",
"datePublished": "2009-06-22T14:00:00Z",
"dateReserved": "2009-06-22T00:00:00Z",
"dateUpdated": "2024-09-17T04:25:46.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-36501
Vulnerability from cvelistv5
Published
2021-10-22 19:19
Modified
2024-08-04 17:30
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vulnerability-lab.com/get_content.php?id=2249 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T19:19:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36501",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vulnerability-lab.com/get_content.php?id=2249",
"refsource": "MISC",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36501",
"datePublished": "2021-10-22T19:19:54",
"dateReserved": "2021-10-20T00:00:00",
"dateUpdated": "2024-08-04T17:30:08.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17317
Vulnerability from cvelistv5
Published
2019-10-07 15:00
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:14.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:00:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17317",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17317",
"datePublished": "2019-10-07T15:00:14",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:40:14.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0465
Vulnerability from cvelistv5
Published
2010-03-19 19:00
Modified
2024-08-07 00:52
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/510116/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/38772 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/38962 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.sugarcrm.com/crm/support/bugs.html?task=view&caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:52:18.947Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20100316 SugarCRM Stored XSS vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/510116/100/0/threaded"
},
{
"name": "38772",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/38772"
},
{
"name": "38962",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/38962"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html?task=view\u0026caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20100316 SugarCRM Stored XSS vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/510116/100/0/threaded"
},
{
"name": "38772",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/38772"
},
{
"name": "38962",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/38962"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html?task=view\u0026caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-0465",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20100316 SugarCRM Stored XSS vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/510116/100/0/threaded"
},
{
"name": "38772",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/38772"
},
{
"name": "38962",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/38962"
},
{
"name": "http://www.sugarcrm.com/crm/support/bugs.html?task=view\u0026caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/crm/support/bugs.html?task=view\u0026caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-0465",
"datePublished": "2010-03-19T19:00:00",
"dateReserved": "2010-01-29T00:00:00",
"dateUpdated": "2024-08-07T00:52:18.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35809
Vulnerability from cvelistv5
Published
2023-06-17 00:00
Modified
2024-12-17 16:28
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/"
},
{
"name": "20230823 [KIS-2023-06] SugarCRM \u003c= 12.2.0 (updateGeocodeStatus) Bean Manipulation Vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/27"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T16:27:48.601940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T16:28:37.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T15:06:15.726579",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/"
},
{
"name": "20230823 [KIS-2023-06] SugarCRM \u003c= 12.2.0 (updateGeocodeStatus) Bean Manipulation Vulnerability",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/27"
},
{
"url": "http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35809",
"datePublished": "2023-06-17T00:00:00",
"dateReserved": "2023-06-17T00:00:00",
"dateUpdated": "2024-12-17T16:28:37.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17303
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17303",
"datePublished": "2019-10-07T15:04:34",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-3244
Vulnerability from cvelistv5
Published
2018-02-01 17:00
Modified
2024-08-06 10:35
Severity ?
EPSS score ?
Summary
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/68102 | vdb-entry, x_refsource_BID | |
| https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2014/Jun/92 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:35:57.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "68102",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68102"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294"
},
{
"name": "20140618 [CVE-2014-3244]SugarCRM v6.5.16 rss dashlet LFI via XXE Attack",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Jun/92"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-01T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "68102",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68102"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294"
},
{
"name": "20140618 [CVE-2014-3244]SugarCRM v6.5.16 rss dashlet LFI via XXE Attack",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Jun/92"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "68102",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/68102"
},
{
"name": "https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294",
"refsource": "MISC",
"url": "https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294"
},
{
"name": "20140618 [CVE-2014-3244]SugarCRM v6.5.16 rss dashlet LFI via XXE Attack",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Jun/92"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3244",
"datePublished": "2018-02-01T17:00:00",
"dateReserved": "2014-05-06T00:00:00",
"dateUpdated": "2024-08-06T10:35:57.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2004-1226
Vulnerability from cvelistv5
Published
2004-12-15 05:00
Modified
2024-08-08 00:46
Severity ?
EPSS score ?
Summary
SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=bugtraq&m=110295433323795&w=2 | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/18447 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T00:46:12.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20041213 SugarSales Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"name": "sugar-sales-path-disclosure(18447)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18447"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2004-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-10T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20041213 SugarSales Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"name": "sugar-sales-path-disclosure(18447)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18447"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2004-1226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20041213 SugarSales Multiple Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=110295433323795\u0026w=2"
},
{
"name": "sugar-sales-path-disclosure(18447)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18447"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2004-1226",
"datePublished": "2004-12-15T05:00:00",
"dateReserved": "2004-12-14T00:00:00",
"dateUpdated": "2024-08-08T00:46:12.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17311
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17311",
"datePublished": "2019-10-07T15:03:20",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-17373
Vulnerability from cvelistv5
Published
2020-08-12 12:28
Modified
2024-08-04 13:53
Severity ?
EPSS score ?
Summary
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2020/Aug/9 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html | x_refsource_MISC | |
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:16.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T12:33:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-17373",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2020/Aug/9",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Aug/9"
},
{
"name": "http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html"
},
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-17373",
"datePublished": "2020-08-12T12:28:00",
"dateReserved": "2020-08-06T00:00:00",
"dateUpdated": "2024-08-04T13:53:16.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-5946
Vulnerability from cvelistv5
Published
2017-08-07 20:00
Modified
2024-08-06 07:06
Severity ?
EPSS score ?
Summary
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/03/02/5 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2015/08/06/6 | mailing-list, x_refsource_MLIST | |
| http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:06:34.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160302 CVE Request(s): VTigerCRM and SugarCRM",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/03/02/5"
},
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-14T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160302 CVE Request(s): VTigerCRM and SugarCRM",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/03/02/5"
},
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160302 CVE Request(s): VTigerCRM and SugarCRM",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/03/02/5"
},
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"name": "http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html",
"refsource": "MISC",
"url": "http://xiphosresearch.com/2016/03/01/Vulnerability-Inheritance-across-Forks.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5946",
"datePublished": "2017-08-07T20:00:00",
"dateReserved": "2015-08-06T00:00:00",
"dateUpdated": "2024-08-06T07:06:34.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14510
Vulnerability from cvelistv5
Published
2017-09-17 21:00
Modified
2024-08-05 19:27
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/ | x_refsource_MISC | |
| https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM | x_refsource_CONFIRM | |
| https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:27:40.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-29T13:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/"
},
{
"name": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM",
"refsource": "CONFIRM",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"name": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14510",
"datePublished": "2017-09-17T21:00:00",
"dateReserved": "2017-09-17T00:00:00",
"dateUpdated": "2024-08-05T19:27:40.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-2460
Vulnerability from cvelistv5
Published
2006-05-19 10:00
Modified
2024-08-07 17:51
Severity ?
EPSS score ?
Summary
Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html | x_refsource_MISC | |
| http://www.vupen.com/english/advisories/2006/1791 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/20072 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/434009/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/26451 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/17987 | vdb-entry, x_refsource_BID | |
| http://securitytracker.com/id?1016087 | vdb-entry, x_refsource_SECTRACK | |
| http://www.osvdb.org/25532 | vdb-entry, x_refsource_OSVDB | |
| https://www.exploit-db.com/exploits/1785 | exploit, x_refsource_EXPLOIT-DB | |
| http://securityreason.com/securityalert/921 | third-party-advisory, x_refsource_SREASON |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T17:51:04.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html"
},
{
"name": "ADV-2006-1791",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/1791"
},
{
"name": "20072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/20072"
},
{
"name": "20060515 Sugar Suite Open Source \u003c= 4.2 \"OptimisticLock!\" arbitrary remote inclusion exploit",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/434009/100/0/threaded"
},
{
"name": "sugarsuite-modules-file-include(26451)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26451"
},
{
"name": "17987",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/17987"
},
{
"name": "1016087",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1016087"
},
{
"name": "25532",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/25532"
},
{
"name": "1785",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/1785"
},
{
"name": "921",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/921"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-05-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html"
},
{
"name": "ADV-2006-1791",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/1791"
},
{
"name": "20072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/20072"
},
{
"name": "20060515 Sugar Suite Open Source \u003c= 4.2 \"OptimisticLock!\" arbitrary remote inclusion exploit",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/434009/100/0/threaded"
},
{
"name": "sugarsuite-modules-file-include(26451)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26451"
},
{
"name": "17987",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/17987"
},
{
"name": "1016087",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1016087"
},
{
"name": "25532",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/25532"
},
{
"name": "1785",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/1785"
},
{
"name": "921",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/921"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-2460",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html",
"refsource": "MISC",
"url": "http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html"
},
{
"name": "ADV-2006-1791",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/1791"
},
{
"name": "20072",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/20072"
},
{
"name": "20060515 Sugar Suite Open Source \u003c= 4.2 \"OptimisticLock!\" arbitrary remote inclusion exploit",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/434009/100/0/threaded"
},
{
"name": "sugarsuite-modules-file-include(26451)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/26451"
},
{
"name": "17987",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/17987"
},
{
"name": "1016087",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1016087"
},
{
"name": "25532",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/25532"
},
{
"name": "1785",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/1785"
},
{
"name": "921",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/921"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-2460",
"datePublished": "2006-05-19T10:00:00",
"dateReserved": "2006-05-19T00:00:00",
"dateUpdated": "2024-08-07T17:51:04.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14974
Vulnerability from cvelistv5
Published
2019-08-14 15:44
Modified
2024-08-05 00:34
Severity ?
EPSS score ?
Summary
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/47247 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:52.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/47247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-14T15:44:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/47247"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14974",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/47247",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/47247"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14974",
"datePublished": "2019-08-14T15:44:12",
"dateReserved": "2019-08-12T00:00:00",
"dateUpdated": "2024-08-05T00:34:52.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14509
Vulnerability from cvelistv5
Published
2017-09-17 21:00
Modified
2024-08-05 19:27
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/ | x_refsource_MISC | |
| https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM | x_refsource_CONFIRM | |
| https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:27:40.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-09-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest\u0026url= query string. Proper input validation has been added to mitigate this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-29T13:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14509",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest\u0026url= query string. Proper input validation has been added to mitigate this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/"
},
{
"name": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM",
"refsource": "CONFIRM",
"url": "https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM"
},
{
"name": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14509",
"datePublished": "2017-09-17T21:00:00",
"dateReserved": "2017-09-17T00:00:00",
"dateUpdated": "2024-08-05T19:27:40.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17304
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17304",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17304",
"datePublished": "2019-10-07T15:04:24",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28955
Vulnerability from cvelistv5
Published
2021-10-22 19:20
Modified
2024-08-04 16:48
Severity ?
EPSS score ?
Summary
SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vulnerability-lab.com/get_content.php?id=2257 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:00.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2257"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T19:20:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2257"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28955",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vulnerability-lab.com/get_content.php?id=2257",
"refsource": "MISC",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2257"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28955",
"datePublished": "2021-10-22T19:20:19",
"dateReserved": "2020-11-19T00:00:00",
"dateUpdated": "2024-08-04T16:48:00.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17302
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17302",
"datePublished": "2019-10-07T15:04:42",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17295
Vulnerability from cvelistv5
Published
2019-10-07 15:05
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:05:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17295",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17295",
"datePublished": "2019-10-07T15:05:43",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17314
Vulnerability from cvelistv5
Published
2019-10-07 15:01
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:01:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17314",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17314",
"datePublished": "2019-10-07T15:01:07",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17294
Vulnerability from cvelistv5
Published
2019-10-07 15:05
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:05:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17294",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17294",
"datePublished": "2019-10-07T15:05:55",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17306
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.409Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17306",
"datePublished": "2019-10-07T15:04:06",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28956
Vulnerability from cvelistv5
Published
2021-10-22 19:20
Modified
2024-08-04 16:48
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vulnerability-lab.com/get_content.php?id=2249 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T19:20:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28956",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vulnerability-lab.com/get_content.php?id=2249",
"refsource": "MISC",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2249"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28956",
"datePublished": "2021-10-22T19:20:18",
"dateReserved": "2020-11-19T00:00:00",
"dateUpdated": "2024-08-04T16:48:01.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17308
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17308",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17308",
"datePublished": "2019-10-07T15:03:50",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-0694
Vulnerability from cvelistv5
Published
2019-10-29 20:37
Modified
2024-08-06 18:30
Severity ?
EPSS score ?
Summary
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2012-0694 | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/19381 | exploit, x_refsource_EXPLOIT-DB | |
| https://seclists.org/bugtraq/2012/Jun/165 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:30:53.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-0694"
},
{
"name": "19381",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/19381"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2012/Jun/165"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SugarCRM CE \u003c= 6.3.1 contains scripts that use \"unserialize()\" with user controlled input which allows remote attackers to execute arbitrary PHP code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-29T20:37:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-0694"
},
{
"name": "19381",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/19381"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/bugtraq/2012/Jun/165"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-0694",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM CE \u003c= 6.3.1 contains scripts that use \"unserialize()\" with user controlled input which allows remote attackers to execute arbitrary PHP code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-0694",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-0694"
},
{
"name": "19381",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/19381"
},
{
"name": "https://seclists.org/bugtraq/2012/Jun/165",
"refsource": "MISC",
"url": "https://seclists.org/bugtraq/2012/Jun/165"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-0694",
"datePublished": "2019-10-29T20:37:25",
"dateReserved": "2012-01-12T00:00:00",
"dateUpdated": "2024-08-06T18:30:53.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17312
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17312",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17312",
"datePublished": "2019-10-07T15:03:12",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-0745
Vulnerability from cvelistv5
Published
2011-03-16 22:00
Modified
2024-08-06 22:05
Severity ?
EPSS score ?
Summary
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/46885 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/66110 | vdb-entry, x_refsource_XF | |
| http://www.vupen.com/english/advisories/2011/0675 | vdb-entry, x_refsource_VUPEN | |
| http://www.redteam-pentesting.de/advisories/rt-sa-2011-002 | x_refsource_MISC | |
| http://www.securitytracker.com/id?1025222 | vdb-entry, x_refsource_SECTRACK | |
| http://securityreason.com/securityalert/8141 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/archive/1/517027/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:05:53.388Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46885",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/46885"
},
{
"name": "sugarcrm-list-info-disclosure(66110)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66110"
},
{
"name": "ADV-2011-0675",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0675"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.redteam-pentesting.de/advisories/rt-sa-2011-002"
},
{
"name": "1025222",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1025222"
},
{
"name": "8141",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/8141"
},
{
"name": "20110315 [RT-SA-2011-002] SugarCRM list privilege restriction bypass",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/517027/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-03-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "46885",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/46885"
},
{
"name": "sugarcrm-list-info-disclosure(66110)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66110"
},
{
"name": "ADV-2011-0675",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0675"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.redteam-pentesting.de/advisories/rt-sa-2011-002"
},
{
"name": "1025222",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1025222"
},
{
"name": "8141",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/8141"
},
{
"name": "20110315 [RT-SA-2011-002] SugarCRM list privilege restriction bypass",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/517027/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-0745",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46885",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/46885"
},
{
"name": "sugarcrm-list-info-disclosure(66110)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66110"
},
{
"name": "ADV-2011-0675",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2011/0675"
},
{
"name": "http://www.redteam-pentesting.de/advisories/rt-sa-2011-002",
"refsource": "MISC",
"url": "http://www.redteam-pentesting.de/advisories/rt-sa-2011-002"
},
{
"name": "1025222",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1025222"
},
{
"name": "8141",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/8141"
},
{
"name": "20110315 [RT-SA-2011-002] SugarCRM list privilege restriction bypass",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/517027/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-0745",
"datePublished": "2011-03-16T22:00:00",
"dateReserved": "2011-02-02T00:00:00",
"dateUpdated": "2024-08-06T22:05:53.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17296
Vulnerability from cvelistv5
Published
2019-10-07 15:05
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:05:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17296",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17296",
"datePublished": "2019-10-07T15:05:35",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17316
Vulnerability from cvelistv5
Published
2019-10-07 15:00
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:14.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:00:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17316",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17316",
"datePublished": "2019-10-07T15:00:44",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:40:14.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17299
Vulnerability from cvelistv5
Published
2019-10-07 15:05
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.366Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:05:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17299",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17299",
"datePublished": "2019-10-07T15:05:07",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35810
Vulnerability from cvelistv5
Published
2023-06-17 00:00
Modified
2024-12-17 16:26
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing input validation. Admin user privileges are required to exploit this vulnerability. Editions other than Enterprise are also affected.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009/"
},
{
"name": "20230823 [KIS-2023-07] SugarCRM \u003c= 12.2.0 (Docusign_GlobalSettings) PHP Object Injection Vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/28"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174302/SugarCRM-12.2.0-PHP-Object-Injection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35810",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T16:25:42.776783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T16:26:03.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing input validation. Admin user privileges are required to exploit this vulnerability. Editions other than Enterprise are also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T15:06:17.212304",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009/"
},
{
"name": "20230823 [KIS-2023-07] SugarCRM \u003c= 12.2.0 (Docusign_GlobalSettings) PHP Object Injection Vulnerability",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/28"
},
{
"url": "http://packetstormsecurity.com/files/174302/SugarCRM-12.2.0-PHP-Object-Injection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35810",
"datePublished": "2023-06-17T00:00:00",
"dateReserved": "2023-06-17T00:00:00",
"dateUpdated": "2024-12-17T16:26:03.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35811
Vulnerability from cvelistv5
Published
2023-06-17 00:00
Modified
2024-12-17 16:22
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/"
},
{
"name": "20230823 [KIS-2023-08] SugarCRM \u003c= 12.2.0 Two SQL Injection Vulnerabilities",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/29"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T16:22:17.744426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T16:22:38.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T15:06:20.287101",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/"
},
{
"name": "20230823 [KIS-2023-08] SugarCRM \u003c= 12.2.0 Two SQL Injection Vulnerabilities",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/29"
},
{
"url": "http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35811",
"datePublished": "2023-06-17T00:00:00",
"dateReserved": "2023-06-17T00:00:00",
"dateUpdated": "2024-12-17T16:22:38.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17297
Vulnerability from cvelistv5
Published
2019-10-07 15:05
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:05:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17297",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17297",
"datePublished": "2019-10-07T15:05:24",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17318
Vulnerability from cvelistv5
Published
2019-10-07 14:56
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:14.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T14:56:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17318",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17318",
"datePublished": "2019-10-07T14:56:00",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:40:14.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-6308
Vulnerability from cvelistv5
Published
2018-01-25 08:00
Modified
2024-08-05 06:01
Severity ?
EPSS score ?
Summary
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:48.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\\Campaigns\\Tracker.php and modules\\Campaigns\\utils.php, the default_currency_name parameter to modules\\Configurator\\controller.php and modules\\Currencies\\Currency.php, the duplicate parameter to modules\\Contacts\\ShowDuplicates.php, the mergecur parameter to modules\\Currencies\\index.php and modules\\Opportunities\\Opportunity.php, and the load_signed_id parameter to modules\\Documents\\Document.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-25T07:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6308",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\\Campaigns\\Tracker.php and modules\\Campaigns\\utils.php, the default_currency_name parameter to modules\\Configurator\\controller.php and modules\\Currencies\\Currency.php, the duplicate parameter to modules\\Contacts\\ShowDuplicates.php, the mergecur parameter to modules\\Currencies\\index.php and modules\\Opportunities\\Opportunity.php, and the load_signed_id parameter to modules\\Documents\\Document.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf",
"refsource": "MISC",
"url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6308",
"datePublished": "2018-01-25T08:00:00",
"dateReserved": "2018-01-25T00:00:00",
"dateUpdated": "2024-08-05T06:01:48.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46815
Vulnerability from cvelistv5
Published
2023-10-27 00:00
Modified
2024-09-09 16:04
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sugarcrm",
"vendor": "sugarcrm",
"versions": [
{
"lessThan": "12.0.4",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
},
{
"lessThan": "13.0.2",
"status": "affected",
"version": "13.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T16:02:28.962463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T16:04:44.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-27T03:28:57.617824",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46815",
"datePublished": "2023-10-27T00:00:00",
"dateReserved": "2023-10-27T00:00:00",
"dateUpdated": "2024-09-09T16:04:44.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-3803
Vulnerability from cvelistv5
Published
2011-09-24 00:00
Modified
2024-09-17 00:21
Severity ?
EPSS score ?
Summary
SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files.
References
| ▼ | URL | Tags |
|---|---|---|
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2011/06/27/6 | mailing-list, x_refsource_MLIST | |
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:46:03.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0"
},
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-24T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0"
},
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-3803",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/SugarCRM-6.1.0"
},
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-3803",
"datePublished": "2011-09-24T00:00:00Z",
"dateReserved": "2011-09-23T00:00:00Z",
"dateUpdated": "2024-09-17T00:21:08.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17319
Vulnerability from cvelistv5
Published
2019-10-07 14:55
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:14.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T14:55:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17319",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17319",
"datePublished": "2019-10-07T14:55:50",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:40:14.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17301
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17301",
"datePublished": "2019-10-07T15:04:50",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-17784
Vulnerability from cvelistv5
Published
2018-10-10 21:00
Modified
2024-08-05 10:54
Severity ?
EPSS score ?
Summary
Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://twitter.com/purplemet/status/1043979681186369537 | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/45594/ | exploit, x_refsource_EXPLOIT-DB | |
| https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:54:10.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/purplemet/status/1043979681186369537"
},
{
"name": "45594",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/45594/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-13T18:53:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/purplemet/status/1043979681186369537"
},
{
"name": "45594",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/45594/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-17784",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://twitter.com/purplemet/status/1043979681186369537",
"refsource": "MISC",
"url": "https://twitter.com/purplemet/status/1043979681186369537"
},
{
"name": "45594",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/45594/"
},
{
"name": "https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities",
"refsource": "MISC",
"url": "https://www.purplemet.com/blog/sugarcrm-multiple-xss-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-17784",
"datePublished": "2018-10-10T21:00:00",
"dateReserved": "2018-09-29T00:00:00",
"dateUpdated": "2024-08-05T10:54:10.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17313
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17313",
"datePublished": "2019-10-07T15:03:00",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-4833
Vulnerability from cvelistv5
Published
2011-12-15 02:00
Modified
2024-08-07 00:16
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/71586 | vdb-entry, x_refsource_XF | |
| http://www.sugarcrm.com/crm/support/bugs.html#issue_47839 | x_refsource_CONFIRM | |
| https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html | x_refsource_MISC | |
| http://www.osvdb.org/77459 | vdb-entry, x_refsource_OSVDB | |
| http://www.sugarcrm.com/crm/support/bugs.html#issue_47805 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/47011 | third-party-advisory, x_refsource_SECUNIA | |
| http://securitytracker.com/id?1026369 | vdb-entry, x_refsource_SECTRACK | |
| http://www.sugarcrm.com/crm/support/bugs.html#issue_47806 | x_refsource_CONFIRM | |
| http://www.sugarcrm.com/crm/support/bugs.html#issue_47800 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/archive/1/520685/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:16:35.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "sugarcrm-index-sql-injection(71586)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71586"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47839"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html"
},
{
"name": "77459",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/77459"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47805"
},
{
"name": "47011",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47011"
},
{
"name": "1026369",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1026369"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47806"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47800"
},
{
"name": "20111130 Sql injection in SugarCRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/520685/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "sugarcrm-index-sql-injection(71586)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71586"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47839"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html"
},
{
"name": "77459",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/77459"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47805"
},
{
"name": "47011",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47011"
},
{
"name": "1026369",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1026369"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47806"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47800"
},
{
"name": "20111130 Sql injection in SugarCRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/520685/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4833",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "sugarcrm-index-sql-injection(71586)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71586"
},
{
"name": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47839",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47839"
},
{
"name": "https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html",
"refsource": "MISC",
"url": "https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html"
},
{
"name": "77459",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/77459"
},
{
"name": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47805",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47805"
},
{
"name": "47011",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/47011"
},
{
"name": "1026369",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1026369"
},
{
"name": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47806",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47806"
},
{
"name": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47800",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/crm/support/bugs.html#issue_47800"
},
{
"name": "20111130 Sql injection in SugarCRM",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/520685/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4833",
"datePublished": "2011-12-15T02:00:00",
"dateReserved": "2011-12-14T00:00:00",
"dateUpdated": "2024-08-07T00:16:35.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5715
Vulnerability from cvelistv5
Published
2018-01-16 20:00
Modified
2024-08-05 05:40
Severity ?
EPSS score ?
Summary
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/43683/ | exploit, x_refsource_EXPLOIT-DB | |
| https://m4k4br0.github.io/sugarcrm-xss/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:40:51.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "43683",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43683/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m4k4br0.github.io/sugarcrm-xss/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-19T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "43683",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43683/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m4k4br0.github.io/sugarcrm-xss/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "43683",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43683/"
},
{
"name": "https://m4k4br0.github.io/sugarcrm-xss/",
"refsource": "MISC",
"url": "https://m4k4br0.github.io/sugarcrm-xss/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5715",
"datePublished": "2018-01-16T20:00:00",
"dateReserved": "2018-01-16T00:00:00",
"dateUpdated": "2024-08-05T05:40:51.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17292
Vulnerability from cvelistv5
Published
2019-10-07 15:06
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:06:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17292",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17292",
"datePublished": "2019-10-07T15:06:12",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7472
Vulnerability from cvelistv5
Published
2020-11-12 17:33
Modified
2024-08-04 09:33
Severity ?
EPSS score ?
Summary
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/ | x_refsource_CONFIRM | |
| https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:18.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-12T17:33:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7472",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/",
"refsource": "CONFIRM",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-043/"
},
{
"name": "https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Sugar_10.0.0_Release_Notes/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7472",
"datePublished": "2020-11-12T17:33:23",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:33:18.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17300
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17300",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17300",
"datePublished": "2019-10-07T15:04:58",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-17372
Vulnerability from cvelistv5
Published
2020-08-12 12:24
Modified
2024-08-04 13:53
Severity ?
EPSS score ?
Summary
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/ | x_refsource_MISC | |
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025 | x_refsource_MISC | |
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Aug/7 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:16.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 10.1.0 (Q3 2020) allows XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-12T17:06:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-17372",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 10.1.0 (Q3 2020) allows XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/"
},
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025"
},
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026"
},
{
"name": "http://seclists.org/fulldisclosure/2020/Aug/7",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Aug/7"
},
{
"name": "http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-17372",
"datePublished": "2020-08-12T12:24:57",
"dateReserved": "2020-08-06T00:00:00",
"dateUpdated": "2024-08-04T13:53:16.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-6712
Vulnerability from cvelistv5
Published
2006-12-23 01:00
Modified
2024-08-07 20:33
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages.
References
| ▼ | URL | Tags |
|---|---|---|
| http://securitytracker.com/id?1017434 | vdb-entry, x_refsource_SECTRACK | |
| http://jvn.jp/jp/JVN%2374079537/index.html | third-party-advisory, x_refsource_JVN | |
| http://www.vupen.com/english/advisories/2006/5100 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/23424 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/21694 | vdb-entry, x_refsource_BID | |
| http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T20:33:59.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1017434",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1017434"
},
{
"name": "JVN#74079537",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/jp/JVN%2374079537/index.html"
},
{
"name": "ADV-2006-5100",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/5100"
},
{
"name": "23424",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23424"
},
{
"name": "21694",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/21694"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-12-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-11T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1017434",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1017434"
},
{
"name": "JVN#74079537",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/jp/JVN%2374079537/index.html"
},
{
"name": "ADV-2006-5100",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/5100"
},
{
"name": "23424",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23424"
},
{
"name": "21694",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/21694"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-6712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1017434",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1017434"
},
{
"name": "JVN#74079537",
"refsource": "JVN",
"url": "http://jvn.jp/jp/JVN%2374079537/index.html"
},
{
"name": "ADV-2006-5100",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/5100"
},
{
"name": "23424",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23424"
},
{
"name": "21694",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/21694"
},
{
"name": "http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf",
"refsource": "CONFIRM",
"url": "http://dl.sugarforge.org/sugardocs/Notes/ReleaseNotes/SugarOpenSource_ReleaseNotes_4.5.0g.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-6712",
"datePublished": "2006-12-23T01:00:00",
"dateReserved": "2006-12-22T00:00:00",
"dateUpdated": "2024-08-07T20:33:59.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17305
Vulnerability from cvelistv5
Published
2019-10-07 15:04
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:04:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17305",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17305",
"datePublished": "2019-10-07T15:04:14",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-35808
Vulnerability from cvelistv5
Published
2023-06-17 00:00
Modified
2024-12-17 16:28
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/"
},
{
"name": "20230823 [KIS-2023-05] SugarCRM \u003c= 12.2.0 (Notes) Unrestricted File Upload Vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/26"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174300/SugarCRM-12.2.0-Shell-Upload.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-35808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T16:13:34.196310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T16:28:18.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T15:06:14.285008",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/"
},
{
"name": "20230823 [KIS-2023-05] SugarCRM \u003c= 12.2.0 (Notes) Unrestricted File Upload Vulnerability",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/26"
},
{
"url": "http://packetstormsecurity.com/files/174300/SugarCRM-12.2.0-Shell-Upload.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35808",
"datePublished": "2023-06-17T00:00:00",
"dateReserved": "2023-06-17T00:00:00",
"dateUpdated": "2024-12-17T16:28:18.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22952
Vulnerability from cvelistv5
Published
2023-01-11 00:00
Modified
2025-01-29 15:23
Severity ?
EPSS score ?
Summary
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:31.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22952",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T15:22:24.096971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-02-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-22952"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T15:23:01.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-10T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/"
},
{
"url": "http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-22952",
"datePublished": "2023-01-11T00:00:00.000Z",
"dateReserved": "2023-01-11T00:00:00.000Z",
"dateUpdated": "2025-01-29T15:23:01.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-2978
Vulnerability from cvelistv5
Published
2009-08-27 18:00
Modified
2024-08-07 06:07
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/52679 | vdb-entry, x_refsource_XF | |
| http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html | third-party-advisory, x_refsource_JVNDB | |
| http://www.sugarcrm.com/forums/showthread.php?t=50907 | x_refsource_CONFIRM | |
| http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html | x_refsource_MISC | |
| http://www.sugarcrm.com/forums/showthread.php?t=50953 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/36423 | third-party-advisory, x_refsource_SECUNIA | |
| http://jvn.jp/en/jp/JVN31035930/index.html | third-party-advisory, x_refsource_JVN | |
| http://www.securityfocus.com/bid/36118 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:07:37.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "sugarcrm-unspecified-sql-injection(52679)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52679"
},
{
"name": "JVNDB-2009-000056",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50907"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50953"
},
{
"name": "36423",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36423"
},
{
"name": "JVN#31035930",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN31035930/index.html"
},
{
"name": "36118",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36118"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "sugarcrm-unspecified-sql-injection(52679)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52679"
},
{
"name": "JVNDB-2009-000056",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50907"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50953"
},
{
"name": "36423",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36423"
},
{
"name": "JVN#31035930",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN31035930/index.html"
},
{
"name": "36118",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36118"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-2978",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "sugarcrm-unspecified-sql-injection(52679)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52679"
},
{
"name": "JVNDB-2009-000056",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html"
},
{
"name": "http://www.sugarcrm.com/forums/showthread.php?t=50907",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50907"
},
{
"name": "http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html",
"refsource": "MISC",
"url": "http://www.ipa.go.jp/security/vuln/documents/2009/200908_sugarcrm.html"
},
{
"name": "http://www.sugarcrm.com/forums/showthread.php?t=50953",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/forums/showthread.php?t=50953"
},
{
"name": "36423",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36423"
},
{
"name": "JVN#31035930",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN31035930/index.html"
},
{
"name": "36118",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36118"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-2978",
"datePublished": "2009-08-27T18:00:00",
"dateReserved": "2009-08-27T00:00:00",
"dateUpdated": "2024-08-07T06:07:37.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17315
Vulnerability from cvelistv5
Published
2019-10-07 15:00
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:14.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:00:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17315",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17315",
"datePublished": "2019-10-07T15:00:58",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:40:14.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17309
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17309",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17309",
"datePublished": "2019-10-07T15:03:41",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17293
Vulnerability from cvelistv5
Published
2019-10-07 15:06
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.366Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:06:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17293",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17293",
"datePublished": "2019-10-07T15:06:03",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17310
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17310",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17310",
"datePublished": "2019-10-07T15:03:30",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-46816
Vulnerability from cvelistv5
Published
2023-10-27 00:00
Modified
2024-09-09 16:01
Severity ?
EPSS score ?
Summary
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sugarcrm",
"vendor": "sugarcrm",
"versions": [
{
"lessThan": "12.0.4",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
},
{
"lessThan": "13.0.2.",
"status": "affected",
"version": "13.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:58:23.395540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T16:01:32.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-27T03:28:43.072794",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46816",
"datePublished": "2023-10-27T00:00:00",
"dateReserved": "2023-10-27T00:00:00",
"dateUpdated": "2024-09-09T16:01:32.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17307
Vulnerability from cvelistv5
Published
2019-10-07 15:03
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:03:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/",
"refsource": "MISC",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17307",
"datePublished": "2019-10-07T15:03:58",
"dateReserved": "2019-10-07T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-2045
Vulnerability from cvelistv5
Published
2008-05-01 18:00
Modified
2024-08-07 08:49
Severity ?
EPSS score ?
Summary
Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/491417/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.sugarcrm.com/forums/showthread.php?t=31688 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/28981 | vdb-entry, x_refsource_BID | |
| http://www.sugarcrm.com/forums/showthread.php?t=32252 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2008/1388/references | vdb-entry, x_refsource_VUPEN | |
| http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html | x_refsource_CONFIRM | |
| http://securityreason.com/securityalert/3844 | third-party-advisory, x_refsource_SREASON | |
| http://secunia.com/advisories/30002 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/42087 | vdb-entry, x_refsource_XF | |
| http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/5521 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:49:57.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20080429 SugarCRM Community Edition Local File Disclosure Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/491417/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=31688"
},
{
"name": "28981",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28981"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=32252"
},
{
"name": "ADV-2008-1388",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/1388/references"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html"
},
{
"name": "3844",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3844"
},
{
"name": "30002",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30002"
},
{
"name": "sugar-feed-information-disclosure(42087)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42087"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf"
},
{
"name": "5521",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/5521"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-04-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20080429 SugarCRM Community Edition Local File Disclosure Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/491417/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=31688"
},
{
"name": "28981",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28981"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/forums/showthread.php?t=32252"
},
{
"name": "ADV-2008-1388",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/1388/references"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html"
},
{
"name": "3844",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3844"
},
{
"name": "30002",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30002"
},
{
"name": "sugar-feed-information-disclosure(42087)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42087"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf"
},
{
"name": "5521",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/5521"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-2045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20080429 SugarCRM Community Edition Local File Disclosure Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/491417/100/0/threaded"
},
{
"name": "http://www.sugarcrm.com/forums/showthread.php?t=31688",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/forums/showthread.php?t=31688"
},
{
"name": "28981",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28981"
},
{
"name": "http://www.sugarcrm.com/forums/showthread.php?t=32252",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/forums/showthread.php?t=32252"
},
{
"name": "ADV-2008-1388",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/1388/references"
},
{
"name": "http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html",
"refsource": "CONFIRM",
"url": "http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html"
},
{
"name": "3844",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3844"
},
{
"name": "30002",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30002"
},
{
"name": "sugar-feed-information-disclosure(42087)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42087"
},
{
"name": "http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf",
"refsource": "MISC",
"url": "http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf"
},
{
"name": "5521",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/5521"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-2045",
"datePublished": "2008-05-01T18:00:00",
"dateReserved": "2008-05-01T00:00:00",
"dateUpdated": "2024-08-07T08:49:57.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2009-000056
Vulnerability from jvndb
Published
2009-08-24 16:25
Modified
2009-08-24 16:25
Summary
SugarCRM vulnerable to SQL injection
Details
SugarCRM contains a SQL injection vulnerability.
SugarCRM is a customer relationship management (CRM) software. SugarCRM contains a SQL injection vulnerability.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html",
"dc:date": "2009-08-24T16:25+09:00",
"dcterms:issued": "2009-08-24T16:25+09:00",
"dcterms:modified": "2009-08-24T16:25+09:00",
"description": "SugarCRM contains a SQL injection vulnerability.\r\n\r\nSugarCRM is a customer relationship management (CRM) software. SugarCRM contains a SQL injection vulnerability. \r\n\r\nTakeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000056.html",
"sec:cpe": {
"#text": "cpe:/a:sugarcrm:sugarcrm",
"@product": "SugarCRM",
"@vendor": "SugarCRM",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2009-000056",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN31035930/index.html",
"@id": "JVN#31035930",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2978",
"@id": "CVE-2009-2978",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2978",
"@id": "CVE-2009-2978",
"@source": "NVD"
},
{
"#text": "http://www.ipa.go.jp/security/english/vuln/200908_sugarcrm_en.html",
"@id": "Security Alert for Vulnerability in SugarCRM",
"@source": "IPA SECURITY ALERTS"
},
{
"#text": "http://secunia.com/advisories/36423",
"@id": "SA36423",
"@source": "SECUNIA"
},
{
"#text": "http://www.securityfocus.com/bid/36118",
"@id": "36118",
"@source": "BID"
},
{
"#text": "http://xforce.iss.net/xforce/xfdb/52679",
"@id": "52679",
"@source": "XF"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "SugarCRM vulnerable to SQL injection"
}
jvndb-2006-000654
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2008-05-21 00:00
Summary
SugarCRM cross-site scripting vulnerability
Details
SugarCRM, an open source CRM (Customer Relationship Management) package, contains a cross-site scripting vulnerability.
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2006/JVNDB-2006-000654.html",
"dc:date": "2008-05-21T00:00+09:00",
"dcterms:issued": "2008-05-21T00:00+09:00",
"dcterms:modified": "2008-05-21T00:00+09:00",
"description": "SugarCRM, an open source CRM (Customer Relationship Management) package, contains a cross-site scripting vulnerability.",
"link": "https://jvndb.jvn.jp/en/contents/2006/JVNDB-2006-000654.html",
"sec:cpe": {
"#text": "cpe:/a:sugarcrm:sugarcrm",
"@product": "SugarCRM",
"@vendor": "SugarCRM",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2006-000654",
"sec:references": {
"#text": "http://jvn.jp/en/jp/JVN30144870/index.html",
"@id": "JVN#30144870",
"@source": "JVN"
},
"title": "SugarCRM cross-site scripting vulnerability"
}
jvndb-2009-000065
Vulnerability from jvndb
Published
2009-10-02 16:02
Modified
2009-10-02 16:02
Summary
SugarCRM vulnerable to cross-site scripting
Details
SugarCRM contains a cross-site scripting vulnerability.
SugarCRM is a customer relationship management (CRM) software. SugarCRM contains a cross-site scripting vulnerability.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN84396512/index.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000065.html",
"dc:date": "2009-10-02T16:02+09:00",
"dcterms:issued": "2009-10-02T16:02+09:00",
"dcterms:modified": "2009-10-02T16:02+09:00",
"description": "SugarCRM contains a cross-site scripting vulnerability.\r\n\r\nSugarCRM is a customer relationship management (CRM) software. SugarCRM contains a cross-site scripting vulnerability.\r\n\r\nTakeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000065.html",
"sec:cpe": {
"#text": "cpe:/a:sugarcrm:sugarcrm",
"@product": "SugarCRM",
"@vendor": "SugarCRM",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2009-000065",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN84396512/index.html",
"@id": "JVN#84396512",
"@source": "JVN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "SugarCRM vulnerable to cross-site scripting"
}
jvndb-2006-000849
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2008-05-21 00:00
Summary
SugarCRM cross-site scripting vulnerability
Details
SugarCRM, open source CRM (Customer Relationship Management) software, contains a cross-site scripting vulnerability.
This vulnerability is different from JVN#30144870.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2006/JVNDB-2006-000849.html",
"dc:date": "2008-05-21T00:00+09:00",
"dcterms:issued": "2008-05-21T00:00+09:00",
"dcterms:modified": "2008-05-21T00:00+09:00",
"description": "SugarCRM, open source CRM (Customer Relationship Management) software, contains a cross-site scripting vulnerability.\r\n\r\nThis vulnerability is different from JVN#30144870.",
"link": "https://jvndb.jvn.jp/en/contents/2006/JVNDB-2006-000849.html",
"sec:cpe": {
"#text": "cpe:/a:sugarcrm:sugarcrm",
"@product": "SugarCRM",
"@vendor": "SugarCRM",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2006-000849",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN74079537/index.html",
"@id": "JVN#74079537",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6712",
"@id": "CVE-2006-6712",
"@source": "CVE"
},
{
"#text": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6712",
"@id": "CVE-2006-6712",
"@source": "NVD"
},
{
"#text": "http://secunia.com/advisories/23424",
"@id": "SA23424",
"@source": "SECUNIA"
},
{
"#text": "http://www.securityfocus.com/bid/21694",
"@id": "21694",
"@source": "BID"
},
{
"#text": "http://securitytracker.com/id?1017434",
"@id": "1017434",
"@source": "SECTRACK"
},
{
"#text": "http://www.frsirt.com/english/advisories/2006/5100",
"@id": "FrSIRT/ADV-2006-5100",
"@source": "FRSIRT"
}
],
"title": "SugarCRM cross-site scripting vulnerability"
}