#VU38281 Cross-site scripting in SugarCRM - CVE-2017-14510

Cybersecurity Help s.r.o.

Published: 2017-09-17 | Updated: 2020-08-08

Vulnerability identifier: #VU38281

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-14510

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SugarCRM
Web applications / CMS

Vendor: SugarCRM Inc.

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.

Mitigation
Install update from vendor's website.

Vulnerable software versions

SugarCRM: 6.5.26 - 7.9.1.0

External links
https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/
https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SugarCRM