Check CVE Id
Check CWE Id
Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
See advisories in our WLB2 database:
SugarCRM 6.5.26 Cross Site Scripting
(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
CVSS Base Score
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modu...
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
An issue was discovered in SugarCRM before 22.214.171.124, 7.8.x before 126.96.36.199, and 7.9.x before 188.8.131.52 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. Thi...
An issue was discovered in SugarCRM before 184.108.40.206, 7.8.x before 220.127.116.11, and 7.9.x before 18.104.22.168 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to p...
An issue was discovered in SugarCRM before 22.214.171.124, 7.8.x before 126.96.36.199, and 7.9.x before 188.8.131.52 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remo...
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order paramet...
Back to Top