CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17318
https://notcve.org/view.php?id=CVE-2019-17318
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección SQL en el módulo pmse_Inbox por parte de un usuario Regular. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-17319
https://notcve.org/view.php?id=CVE-2019-17319
07 Oct 2019 — SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. SugarCRM versiones anteriores a 8.0.4 y versiones 9.x anteriores a 9.0.2, permite la inyección SQL en el módulo Emails por parte de un usuario Regular. • https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-14974 – SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14974
14 Aug 2019 — SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS. SugarCRM Enterprise versión 9.0.0, permite un ataque de tipo XSS de mobile/error-not-support-platform.html? Desktop_url=. • https://www.exploit-db.com/exploits/47247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2018-17784 – SugarCRM 6.5.26 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-17784
10 Oct 2018 — Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. Múltiples vulnerabilidades en YUI y FlashCanvas, embebidos en SugarCRM Community Edition 6.5.26 podrían permitir que un atacante remoto sin autenticar lleve a cabo un ataque Cross-Site Scripting (XSS) en un sistema objetivo. SugarCRM version 6.5.26 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/149782 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
01 Feb 2018 — XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6308
https://notcve.org/view.php?id=CVE-2018-6308
25 Jan 2018 — Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php. Exi... • http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5715 – SugarCRM 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5715
16 Jan 2018 — phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de parámetro en la cadena de consulta (también conocida como variable $key). SugarCRM version 3.5.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/145943 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2017-14508
https://notcve.org/view.php?id=CVE-2017-14508
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker t... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 10EXPL: 1CVE-2017-14509
https://notcve.org/view.php?id=CVE-2017-14509
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2017-14510
https://notcve.org/view.php?id=CVE-2017-14510
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Co... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •