Cross-site scripting in SugarCRM - CVE-2017-14510
Published: September 17, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38281
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-14510
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SugarCRM Inc.
Affected software:
SugarCRM
SugarCRM
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.
How to mitigate CVE-2017-14510
Install update from vendor's website.