CVE-2020-17373 – SugarCRM SQL Injection
https://notcve.org/view.php?id=CVE-2020-17373
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite una inyección SQL SugarCRM versions prior to 10.1.10 suffer from a remote SQL injection vulnerability. • http://packetstormsecurity.com/files/158848/SugarCRM-SQL-Injection.html http://seclists.org/fulldisclosure/2020/Aug/9 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-051 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-17372 – SugarCRM Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-17372
SugarCRM before 10.1.0 (Q3 2020) allows XSS. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite un ataque de tipo XSS SugarCRM versions prior to 10.1.10 suffer from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/158847/SugarCRM-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2020/Aug/7 https://support.sugarcrm.com/Resources/Security https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-025 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2020-026 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 http://www.securityfocus.com/bid/68102 https://web.archive.org/web/20151105182132/http://www.pnigos.com/?p=294 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2018-5715 – SugarCRM 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5715
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de parámetro en la cadena de consulta (también conocida como variable $key). SugarCRM version 3.5.1 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/43683 https://m4k4br0.github.io/sugarcrm-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-14509
https://notcve.org/view.php?id=CVE-2017-14509
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Community Edition 6.5.26). Existe una vulnerabilidad de inclusión remota de archivos en el módulo Connectors que permite a usuarios autenticados incluir archivos de sistema que se pueden acceder remotamente mediante una cadena de consulta module=CallRest&url=. • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007 https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM • CWE-20: Improper Input Validation •