Skip to main content

Sugarcrm

46 CVEs product

Monthly

CVE-2023-46816 HIGH This Week

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-46815 HIGH This Week

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-35811 HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-35810 HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.2%
CVE-2023-35809 HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2023-35808 HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2023-22952 HIGH POC KEV THREAT Act Now

In SugarCRM before 12.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
80.3%
CVE-2020-7472 CRITICAL Act Now

An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP Sugarcrm
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2020-17373 MEDIUM POC This Month

SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-17372 MEDIUM POC This Month

SugarCRM before 10.1.0 (Q3 2020) allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2019-17314 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.9%
CVE-2019-17313 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2019-17312 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2019-17311 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2019-17310 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17309 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17308 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-17307 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17306 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17305 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-17304 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17303 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-17302 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-17301 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17300 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2019-17299 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17298 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17297 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17296 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17295 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17294 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17293 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17292 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.1%
CVE-2019-17319 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17318 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-17317 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Prototype Pollution Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-17316 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Prototype Pollution Sugarcrm
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2019-17315 HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Prototype Pollution Sugarcrm
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2019-14974 MEDIUM POC THREAT This Month

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
31.0%
CVE-2018-17784 MEDIUM POC This Month

Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
4.4%
CVE-2018-6308 CRITICAL POC Act Now

Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sugarcrm
NVD
CVSS 3.0
9.8
EPSS
1.1%
CVE-2018-5715 MEDIUM POC This Month

phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Sugarcrm
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
6.9%
CVE-2017-14510 MEDIUM POC This Month

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-14509 HIGH POC This Week

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Sugarcrm
NVD
CVSS 3.0
8.8
EPSS
0.8%
CVE-2017-14508 HIGH POC This Week

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sugarcrm
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2015-5946 HIGH POC This Week

Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Sugarcrm
NVD
CVSS 3.0
7.8
EPSS
0.4%
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 7.2
HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP Sugarcrm
NVD
EPSS 80% CVSS 8.8
HIGH POC KEV THREAT Act Now

In SugarCRM before 12.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP Sugarcrm
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP Sugarcrm
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

SugarCRM before 10.1.0 (Q3 2020) allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
EPSS 2% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
EPSS 2% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
EPSS 2% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Sugarcrm
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Sugarcrm
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Prototype Pollution +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Prototype Pollution +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Prototype Pollution +1
NVD
EPSS 31% CVSS 6.1
MEDIUM POC THREAT This Month

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD Exploit-DB
EPSS 4% CVSS 6.1
MEDIUM POC This Month

Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sugarcrm
NVD
EPSS 7% CVSS 6.1
MEDIUM POC This Month

phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Sugarcrm
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Sugarcrm
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sugarcrm
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Sugarcrm
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy