Vulnerabilities > Sugarcrm > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-11-12 CVE-2020-7472 Improper Input Validation vulnerability in Sugarcrm
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests.
network
low complexity
sugarcrm CWE-20
critical
 9.8
9.8
2019-10-29 CVE-2012-0694 Improper Input Validation vulnerability in Sugarcrm 6.3.1
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
network
low complexity
sugarcrm CWE-20
critical
 9.8
9.8
2018-02-01 CVE-2014-3244 XXE vulnerability in Sugarcrm
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
network
low complexity
sugarcrm CWE-611
critical
 9.8
9.8
2018-01-25 CVE-2018-6308 SQL Injection vulnerability in Sugarcrm 6.5.26
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.
network
low complexity
sugarcrm CWE-89
critical
 9.8
9.8