CyberSec.Space Logo
Back to CVE Browser

CVE-2018-6308

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0950%
EPSS Percentile1.41th
PublishedJan 25, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.

Affected Platforms (CPE)

📦
Sugarcrm

Sugarcrm

= 6.5.26

References & Advisories

🔗 http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf
🔗 http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf

Related Vulnerabilities

CVE-2004-122510.0

SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and ga...

CVE-2004-122710.0

Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and p...

CVE-2020-74729.8

An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before ...

CVE-2012-06949.8

SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute...