CVE-2014-4984

Vulnerability

Déjà Vu Crescendo Sales CRM contains a remote SQL injection vulnerability [1]. The official description indicates the bug is present in the CRM software. No specific version details are provided in the available reference beyond the product name "Crescendo Sales CRM" [1]. The vulnerable code path is reachable via remote input without requiring special configuration beyond a network-accessible installation.

Exploitation

An attacker can exploit this vulnerability remotely by sending crafted SQL queries through the CRM's input parameters [1]. No authentication is mentioned as a prerequisite; the reference describes it as "remote SQL injection," implying network access is sufficient. The concrete steps involve injecting malicious SQL statements into user-supplied fields that are not properly sanitized, allowing arbitrary database commands to be executed.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the CRM's database [1]. This can lead to unauthorized access to sensitive data, modification or deletion of records, and potential compromise of the underlying system depending on database permissions. The impact is primarily on confidentiality and integrity, with possible privilege escalation if the database user has elevated rights.

Mitigation

No fixed version or patch is disclosed in the available reference [1]. The vendor should apply proper input validation and parameterized queries to prevent SQL injection. As of the publication date, no specific workaround is provided. Users are advised to contact the vendor for updates or restrict network access to the CRM application until a fix is available.