CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17315
https://notcve.org/view.php?id=CVE-2019-17315
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección de objetos PHP en el módulo Administration por parte de un usuario Admin. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17316
https://notcve.org/view.php?id=CVE-2019-17316
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección de objetos PHP en el módulo Import por parte de un usuario Regular. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17317
https://notcve.org/view.php?id=CVE-2019-17317
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección de objetos PHP en el módulo UpgradeWizard por parte de un usuario Admin. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17318
https://notcve.org/view.php?id=CVE-2019-17318
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección SQL en el módulo pmse_Inbox por parte de un usuario Regular. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17319
https://notcve.org/view.php?id=CVE-2019-17319
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección SQL en el módulo Emails por parte de un usuario Regular. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-14974 – SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14974
14 Aug 2019 — SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS. SugarCRM Enterprise versión 9.0.0, permite un ataque de tipo XSS de mobile/error-not-support-platform.html? Desktop_url=. • https://www.exploit-db.com/exploits/47247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2018-17784 – SugarCRM 6.5.26 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-17784
10 Oct 2018 — Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. Múltiples vulnerabilidades en YUI y FlashCanvas, embebidos en SugarCRM Community Edition 6.5.26 podrían permitir que un atacante remoto sin autenticar lleve a cabo un ataque Cross-Site Scripting (XSS) en un sistema objetivo. SugarCRM version 6.5.26 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/149782 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
01 Feb 2018 — XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6308
https://notcve.org/view.php?id=CVE-2018-6308
25 Jan 2018 — Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php. Exi... • http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5715 – SugarCRM 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5715
16 Jan 2018 — phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de parámetro en la cadena de consulta (también conocida como variable $key). SugarCRM version 3.5.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/145943 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •