Sugarcrm
by Sugarcrm
CVEs (62)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-35811 | 0.00 | — | 0.01 | Jun 17, 2023 | An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user… | |||
| CVE-2020-28955 | 0.00 | — | 0.01 | Oct 22, 2021 | SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields. | |||
| CVE-2020-28956 | 0.00 | — | 0.01 | Oct 22, 2021 | Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | |||
| CVE-2020-36501 | 0.00 | — | 0.01 | Oct 22, 2021 | Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. | |||
| CVE-2020-7472 | 0.00 | — | 0.03 | Nov 12, 2020 | An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted… | |||
| CVE-2020-17373 | 0.00 | — | 0.01 | Aug 12, 2020 | SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. | |||
| CVE-2020-17372 | 0.00 | — | 0.01 | Aug 12, 2020 | SugarCRM before 10.1.0 (Q3 2020) allows XSS. | |||
| CVE-2019-17292 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user. | |||
| CVE-2019-17293 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user. | |||
| CVE-2019-17294 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user. | |||
| CVE-2019-17295 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user. | |||
| CVE-2019-17296 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user. | |||
| CVE-2019-17297 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user. | |||
| CVE-2019-17298 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user. | |||
| CVE-2019-17299 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user. | |||
| CVE-2019-17300 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user. | |||
| CVE-2019-17301 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user. | |||
| CVE-2019-17302 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. | |||
| CVE-2019-17303 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user. | |||
| CVE-2019-17304 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. |
- CVE-2023-35811Jun 17, 2023risk 0.00cvss —epss 0.01
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user…
- CVE-2020-28955Oct 22, 2021risk 0.00cvss —epss 0.01
SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the First Name or Last Name input fields.
- CVE-2020-28956Oct 22, 2021risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
- CVE-2020-36501Oct 22, 2021risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields.
- CVE-2020-7472Nov 12, 2020risk 0.00cvss —epss 0.03
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted…
- CVE-2020-17373Aug 12, 2020risk 0.00cvss —epss 0.01
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
- CVE-2020-17372Aug 12, 2020risk 0.00cvss —epss 0.01
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
- CVE-2019-17292Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user.
- CVE-2019-17293Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user.
- CVE-2019-17294Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user.
- CVE-2019-17295Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user.
- CVE-2019-17296Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user.
- CVE-2019-17297Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
- CVE-2019-17298Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
- CVE-2019-17299Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user.
- CVE-2019-17300Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user.
- CVE-2019-17301Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user.
- CVE-2019-17302Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user.
- CVE-2019-17303Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
- CVE-2019-17304Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user.
Page 2 of 4