CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 3CVE-2020-17373 – SugarCRM SQL Injection
https://notcve.org/view.php?id=CVE-2020-17373
12 Aug 2020 — SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite una inyección SQL SugarCRM versions prior to 10.1.10 suffer from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/158848 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2020-17372 – SugarCRM Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-17372
12 Aug 2020 — SugarCRM before 10.1.0 (Q3 2020) allows XSS. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite un ataque de tipo XSS SugarCRM versions prior to 10.1.10 suffer from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/158847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 2CVE-2012-0694 – SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-0694
29 Oct 2019 — SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code. SugarCRM CE versiones anteriores a 6.3.1 incluyéndola, contiene scripts que usan la función "unserialize()" con entrada controlada por el usuario lo que permite a atacantes remotos ejecutar código PHP arbitrario. • https://www.exploit-db.com/exploits/19403 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
01 Feb 2018 — XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5715 – SugarCRM 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5715
16 Jan 2018 — phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de parámetro en la cadena de consulta (también conocida como variable $key). SugarCRM version 3.5.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/145943 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2017-14508
https://notcve.org/view.php?id=CVE-2017-14508
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker t... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 10EXPL: 1CVE-2017-14509
https://notcve.org/view.php?id=CVE-2017-14509
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2017-14510
https://notcve.org/view.php?id=CVE-2017-14510
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Co... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 33%CPEs: 63EXPL: 2CVE-2011-0745 – SugarCRM 6.1.1 - Information Disclosure
https://notcve.org/view.php?id=CVE-2011-0745
16 Mar 2011 — SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php. SugarCRM en versiones anteriores a la 6.1.3 no maneja apropiadamente las recargas y peticiones directa... • https://www.exploit-db.com/exploits/35467 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 36EXPL: 0CVE-2009-2978
https://notcve.org/view.php?id=CVE-2009-2978
27 Aug 2009 — SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en SugarCRM v4.5.1o y anteriores, v5.0.0k y anteriores, y v5.2.0g y anteriores, permite a los atacantes remotos ejecutar arbitrariamente comandos SQL a través de vectores no especificados. • http://jvn.jp/en/jp/JVN31035930/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •