Vendor CVEs
Sugarcrm
All CVEs
69 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-17309 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user. | |||
| CVE-2019-17310 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user. | |||
| CVE-2019-17311 | 0.00 | — | 0.02 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user. | |||
| CVE-2019-17312 | 0.00 | — | 0.02 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user. | |||
| CVE-2019-17313 | 0.00 | — | 0.02 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user. | |||
| CVE-2019-17314 | 0.00 | — | 0.02 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user. | |||
| CVE-2019-17315 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. | |||
| CVE-2019-17316 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user. | |||
| CVE-2019-17317 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. | |||
| CVE-2019-17318 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. | |||
| CVE-2019-17319 | 0.00 | — | 0.01 | Oct 7, 2019 | SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. | |||
| CVE-2011-3803 | 0.00 | — | 0.01 | Sep 24, 2011 | SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files. | |||
| CVE-2010-0465 | 0.00 | — | 0.01 | Mar 19, 2010 | Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field. | |||
| CVE-2009-2978 | 0.00 | — | 0.01 | Aug 27, 2009 | SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2006-6712 | 0.00 | — | 0.01 | Dec 23, 2006 | Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages. | |||
| CVE-2006-5082 | 0.00 | — | 0.02 | Sep 29, 2006 | Unspecified vulnerability in Sugar Suite Open Source (SugarCRM) before 4.2.1 Patch C (20060917) has unspecified impact, related to code execution, and unspecified attack vectors. | |||
| CVE-2004-1228 | 0.00 | — | 0.01 | Jan 10, 2005 | The install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not removed after installation, which allows attackers to obtain the MySQL administrative password in cleartext from an installation form, or to cause a denial of service by changing database settings to the… | |||
| CVE-2004-1226 | 0.00 | — | 0.01 | Jan 10, 2005 | SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter. | |||
| CVE-2005-0266 | 0.00 | — | 0.01 | Jan 1, 2005 | Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter. |
- CVE-2019-17309Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user.
- CVE-2019-17310Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user.
- CVE-2019-17311Oct 7, 2019risk 0.00cvss —epss 0.02
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
- CVE-2019-17312Oct 7, 2019risk 0.00cvss —epss 0.02
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
- CVE-2019-17313Oct 7, 2019risk 0.00cvss —epss 0.02
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
- CVE-2019-17314Oct 7, 2019risk 0.00cvss —epss 0.02
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
- CVE-2019-17315Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.
- CVE-2019-17316Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.
- CVE-2019-17317Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user.
- CVE-2019-17318Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
- CVE-2019-17319Oct 7, 2019risk 0.00cvss —epss 0.01
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
- CVE-2011-3803Sep 24, 2011risk 0.00cvss —epss 0.01
SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/Sugar5/layout_utils.php and certain other files.
- CVE-2010-0465Mar 19, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field.
- CVE-2009-2978Aug 27, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2006-6712Dec 23, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in crafted email messages.
- CVE-2006-5082Sep 29, 2006risk 0.00cvss —epss 0.02
Unspecified vulnerability in Sugar Suite Open Source (SugarCRM) before 4.2.1 Patch C (20060917) has unspecified impact, related to code execution, and unspecified attack vectors.
- CVE-2004-1228Jan 10, 2005risk 0.00cvss —epss 0.01
The install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not removed after installation, which allows attackers to obtain the MySQL administrative password in cleartext from an installation form, or to cause a denial of service by changing database settings to the…
- CVE-2004-1226Jan 10, 2005risk 0.00cvss —epss 0.01
SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter.
- CVE-2005-0266Jan 1, 2005risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter.
Page 2 of 2