CVE-2020-17373 – SugarCRM SQL Injection
https://notcve.org/view.php?id=CVE-2020-17373
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite una inyección SQL SugarCRM versions prior to 10.1.10 suffer from a remote SQL injection vulnerability. • http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html http://seclists.org/fulldisclosure/2020/Aug/9 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-17372 – SugarCRM Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-17372
SugarCRM before 10.1.0 (Q3 2020) allows XSS. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite un ataque de tipo XSS SugarCRM versions prior to 10.1.10 suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2020/Aug/7 https://support.sugarcrm.com/Resources/Security https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 http://www.securityfocus.com/bid/68102 https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2017-14509
https://notcve.org/view.php?id=CVE-2017-14509
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Community Edition 6.5.26). Existe una vulnerabilidad de inclusión remota de archivos en el módulo Connectors que permite a usuarios autenticados incluir archivos de sistema que se pueden acceder remotamente mediante una cadena de consulta module=CallRest&url=. • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007 https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM • CWE-20: Improper Input Validation •
CVE-2017-14510
https://notcve.org/view.php?id=CVE-2017-14510
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Community Edition 6.5.26). La funcionalidad WebToLeadCapture es vulnerable a ataques Cross-Site Scripting (XSS) no autenticados. • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008 https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •