Sugarcrm: >> Sugarcrm Security Vulnerabilities
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
CVSS Score
9.8
EPSS Score
0.012
Published
2020-11-12
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
CVSS Score
5.4
EPSS Score
0.005
Published
2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
CVSS Score
5.3
EPSS Score
0.012
Published
2020-08-12
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
CVSS Score
9.8
EPSS Score
0.837
Published
2019-10-29
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-10-07
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-10-07
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-10-07
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
CVSS Score
7.2
EPSS Score
0.006
Published
2019-10-07
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-10-07
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-10-07