Vulnerabilities > Sugarcrm > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-07 | CVE-2019-17316 | Unspecified vulnerability in Sugarcrm SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user. | 8.8 |
| 2019-10-07 | CVE-2019-17315 | Unspecified vulnerability in Sugarcrm SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. | 7.2 |
| 2018-02-01 | CVE-2014-3244 | XXE vulnerability in Sugarcrm XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. | 7.5 |
| 2018-01-25 | CVE-2018-6308 | SQL Injection vulnerability in Sugarcrm 6.5.26 Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php. | 7.5 |
| 2011-12-15 | CVE-2011-4833 | SQL Injection vulnerability in Sugarcrm Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php. | 7.5 |
| 2009-08-27 | CVE-2009-2978 | SQL Injection vulnerability in Sugarcrm SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
| 2006-09-29 | CVE-2006-5082 | Arbitrary Command Execution vulnerability in Sugar Suite Unspecified vulnerability in Sugar Suite Open Source (SugarCRM) before 4.2.1 Patch C (20060917) has unspecified impact, related to code execution, and unspecified attack vectors. | 7.5 |
| 2005-12-08 | CVE-2005-4087 | Remote and Local File Include vulnerability in Sugarcrm Sugar Suite 3.5/4.0Beta PHP remote file include vulnerability in acceptDecline.php in Sugar Suite Open Source Customer Relationship Management (SugarCRM) 4.0 beta and earlier allows remote attackers to execute arbitrary PHP code via a URL in the beanFiles array parameter. | 7.5 |