SB2019101701 - Multiple vulnerabilities in SugarCRM
Published: October 17, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 34 secuirty vulnerabilities.
1) Reflected cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "form" parameter when handling the "Popup" action within the "DataSets" module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Reflected cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the “name” parameter when handling the “Popup” action within the “DataSets” module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Reflected cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the “type” parameter when handling the “dupcheck” action within the “Import” module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Reflected cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the “message” parameter when handling the “error” action within the “Import” module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Reflected cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the “direct_step” parameter when handling the “WizardNewsletter” action within the “Campaigns” module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Reflected cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the the “iframe_type” parameter when handling the “IframeDropdown” action within the “WorkFlow” module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) SQL injection (CVE-ID: CVE-2019-17293)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "pmse_Project" module in multiple parameters. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
8) SQL injection (CVE-ID: CVE-2019-17292)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "pmse_Inbox" module in multiple parameters. A remote authenticated administrator can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
9) SQL injection (CVE-ID: CVE-2019-17294)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the export function. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
10) SQL injection (CVE-ID: CVE-2019-17295)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the history function in the REST API. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
11) SQL injection (CVE-ID: CVE-2019-17296)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Contacts module. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) SQL injection (CVE-ID: CVE-2019-17297)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Quotes module. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
13) SQL injection (CVE-ID: CVE-2019-17298)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Administration module. A remote authenticated developer user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
14) Code Injection (CVE-ID: CVE-2019-17299)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Administration module in multiple parameters. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Code Injection (CVE-ID: CVE-2019-17300)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Administration module in multiple parameters. A remote authenticated developer user can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Code Injection (CVE-ID: CVE-2019-17301)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the ModuleBuilder module in multiple parameters. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Code Injection (CVE-ID: CVE-2019-17302)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the ModuleBuilder module. A remote authenticated developer user can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
18) Code Injection (CVE-ID: CVE-2019-17303)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the MergeRecords module in multiple parameters. A remote authenticated developer user can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Code Injection (CVE-ID: CVE-2019-17304)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the MergeRecords module in multiple parameters. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) Code Injection (CVE-ID: CVE-2019-17305)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the MergeRecords module in multiple parameters. A remote authenticated attacker can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) Code Injection (CVE-ID: CVE-2019-17306)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Configurator module. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Code Injection (CVE-ID: CVE-2019-17307)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Tracker module. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
23) Code Injection (CVE-ID: CVE-2019-17308)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Emails module. A remote authenticated attacker can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
24) Code Injection (CVE-ID: CVE-2019-17309)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the EmailMan module. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) Code Injection (CVE-ID: CVE-2019-17310)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Campaigns module. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
26) Path traversal (CVE-ID: CVE-2019-17311)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists in the attachment function in the REST API due to input validation error when processing directory traversal sequences. A remote authenticated attacker can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.
27) Path traversal (CVE-ID: CVE-2019-17312)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists in the file function in the REST APIdue to input validation error when processing directory traversal sequences. A remote authenticated attacker can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.
28) Path traversal (CVE-ID: CVE-2019-17313)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists in the Studio moduledue to input validation error when processing directory traversal sequences. A remote authenticated developer user can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.
29) Path traversal (CVE-ID: CVE-2019-17314)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists in the Configurator module due to input validation error when processing directory traversal sequences. A remote authenticated administrator can send a specially crafted HTTP request and inject arbitrary PHP code on the target system.
30) Code Injection (CVE-ID: CVE-2019-17315)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Administration module. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
31) Code Injection (CVE-ID: CVE-2019-17316)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the Import module in multiple parameters. A remote authenticated attacker can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
32) Code Injection (CVE-ID: CVE-2019-17317)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the UpgradeWizard module. A remote authenticated administrator can send a specially crafted request and execute arbitrary PHP code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) SQL injection (CVE-ID: CVE-2019-17318)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "pmse_Inbox" module in multiple parameters. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
34) SQL injection (CVE-ID: CVE-2019-17319)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Emails module. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- http://karmainsecurity.com/KIS-2019-03
- https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-020/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-019/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-021/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-022/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-023/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-024/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-025/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-026/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-027/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-028/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-029/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-031/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-032/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-033/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-034/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-035/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-036/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-037/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-038/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-039/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-040/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-041/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-044/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-046/
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-047/