CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28955
https://notcve.org/view.php?id=CVE-2020-28955
22 Oct 2021 — SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields. Se ha detectado que SugarCRM versión v6.5.18, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el módulo Create Employee. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil dise... • https://www.vulnerability-lab.com/get_content.php?id=2257 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28956
https://notcve.org/view.php?id=CVE-2020-28956
22 Oct 2021 — Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el módulo de ventas de SugarCRM versión v6.5.18, permiten a atacantes ejecutar scripts web arbitrarios o HTML por medio de cargas útiles diseñadas introducidas en los campos de entrada the primary... • https://www.vulnerability-lab.com/get_content.php?id=2249 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36501
https://notcve.org/view.php?id=CVE-2020-36501
22 Oct 2021 — Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el módulo de Soporte de SugarCRM versión v6.5.18, permiten a atacantes ejecutar scripts web arbitrarios o HTML por medio de cargas útiles diseñadas introducidas en los campos de entrada primary ... • https://www.vulnerability-lab.com/get_content.php?id=2249 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 3CVE-2020-17373 – SugarCRM SQL Injection
https://notcve.org/view.php?id=CVE-2020-17373
12 Aug 2020 — SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite una inyección SQL SugarCRM versions prior to 10.1.10 suffer from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/158848 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2020-17372 – SugarCRM Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-17372
12 Aug 2020 — SugarCRM before 10.1.0 (Q3 2020) allows XSS. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite un ataque de tipo XSS SugarCRM versions prior to 10.1.10 suffer from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/158847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 2CVE-2012-0694 – SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-0694
29 Oct 2019 — SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code. SugarCRM CE versiones anteriores a 6.3.1 incluyéndola, contiene scripts que usan la función "unserialize()" con entrada controlada por el usuario lo que permite a atacantes remotos ejecutar código PHP arbitrario. • https://www.exploit-db.com/exploits/19403 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2018-17784 – SugarCRM 6.5.26 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-17784
10 Oct 2018 — Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. Múltiples vulnerabilidades en YUI y FlashCanvas, embebidos en SugarCRM Community Edition 6.5.26 podrían permitir que un atacante remoto sin autenticar lleve a cabo un ataque Cross-Site Scripting (XSS) en un sistema objetivo. SugarCRM version 6.5.26 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/149782 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
01 Feb 2018 — XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6308
https://notcve.org/view.php?id=CVE-2018-6308
25 Jan 2018 — Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php. Exi... • http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5715 – SugarCRM 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5715
16 Jan 2018 — phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de parámetro en la cadena de consulta (también conocida como variable $key). SugarCRM version 3.5.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/145943 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •