CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 3CVE-2020-17373 – SugarCRM SQL Injection
https://notcve.org/view.php?id=CVE-2020-17373
12 Aug 2020 — SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite una inyección SQL SugarCRM versions prior to 10.1.10 suffer from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/158848 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2020-17372 – SugarCRM Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-17372
12 Aug 2020 — SugarCRM before 10.1.0 (Q3 2020) allows XSS. SugarCRM versiones anteriores a 10.1.0 (el Q3 2020), permite un ataque de tipo XSS SugarCRM versions prior to 10.1.10 suffer from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/158847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 2CVE-2012-0694 – SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-0694
29 Oct 2019 — SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code. SugarCRM CE versiones anteriores a 6.3.1 incluyéndola, contiene scripts que usan la función "unserialize()" con entrada controlada por el usuario lo que permite a atacantes remotos ejecutar código PHP arbitrario. • https://www.exploit-db.com/exploits/19403 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2014-3244
https://notcve.org/view.php?id=CVE-2014-3244
01 Feb 2018 — XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en el dashlet RSSDashlet en SugarCRM en versiones anteriores a la 6.5.17 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://seclists.org/fulldisclosure/2014/Jun/92 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-5715 – SugarCRM 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5715
16 Jan 2018 — phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). phprint.php en SugarCRM 3.5.1 tiene XSS mediante un nombre de parámetro en la cadena de consulta (también conocida como variable $key). SugarCRM version 3.5.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/145943 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2017-14508
https://notcve.org/view.php?id=CVE-2017-14508
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker t... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 10EXPL: 1CVE-2017-14509
https://notcve.org/view.php?id=CVE-2017-14509
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2017-14510
https://notcve.org/view.php?id=CVE-2017-14510
17 Sep 2017 — An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along. Existe un problema en SugarCRM en versiones anteriores a la 7.7.2.3, en versiones 7.8.x anteriores a la 7.8.2.2 y en versiones 7.9.x anteriores a la 7.9.2.0 (y Sugar Co... • https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 8CVE-2011-4833 – SugarCRM Community Edition 6.3.0RC1 - 'index.php' Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2011-4833
15 Dec 2011 — Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php. Múltiples vulnerabilidades de inyección SQL en el módulo Leads en SugarCRM v6.1 antes de v6.1.7, v6.2 antes de v6.2.4, v6.3 antes de v6.3.0RC3, y v6.4 antes de v6.4.0beta1, permite a atacantes remotos ejecutar comandos... • https://www.exploit-db.com/exploits/36384 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3803
https://notcve.org/view.php?id=CVE-2011-3803
24 Sep 2011 — SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files. SugarCRM v6.1.0 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con themes/Sugar5/layout_utils.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •