Home/Product/sugarcrm
Product

sugarcrm

68 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2023-46816
>= 12.0.0 and < 12.0.4
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability h
8.8HIGH
 CVE-2023-46815
>= 12.0.0 and < 12.0.4
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been iden
8.8HIGH
 CVE-2023-35811
>= 11.0.0 and < 11.0.6
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identifie
8.8HIGH
 CVE-2023-35810
>= 11.0.0 and < 11.0.6
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerabi
7.2HIGH
 CVE-2023-35809
>= 11.0.0 and < 11.0.6
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been id
8.8HIGH
 CVE-2023-35808
>= 11.0.0 and < 11.0.6
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has
8.8HIGH
 CVE-2023-22952
>= 11.0.0 and < 11.0.5
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing
8.8HIGH
 CVE-2020-36501
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the Support module of SugarCRM v6.5.18 allows attackers to execute arbitrar
5.4MEDIUM
 CVE-2020-28956
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the Sales module of SugarCRM v6.5.18 allows attackers to execute arbitrary
5.4MEDIUM
 CVE-2020-28955
all versions
SugarCRM v6.5.18 was discovered to contain a cross-site scripting (XSS) vulnerability in the Create Employee module. This vulnerab
5.4MEDIUM
 CVE-2020-7472
>= 8.0.0 and < 8.0.7
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before
9.8CRITICAL
 CVE-2020-17373
< 10.1.0
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
5.3MEDIUM
 CVE-2020-17372
< 10.1.0
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
5.4MEDIUM
 CVE-2012-0694
<= 6.3.1
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute
9.8CRITICAL
 CVE-2019-17314
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
7.2HIGH
 CVE-2019-17313
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
8.8HIGH
 CVE-2019-17312
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
8.8HIGH
 CVE-2019-17311
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
8.8HIGH
 CVE-2019-17310
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user.
7.2HIGH
 CVE-2019-17309
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user.
7.2HIGH
 CVE-2019-17308
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user.
8.8HIGH
 CVE-2019-17307
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user.
7.2HIGH
 CVE-2019-17306
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user.
7.2HIGH
 CVE-2019-17305
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user.
8.8HIGH
 CVE-2019-17304
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user.
7.2HIGH
 CVE-2019-17303
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
8.8HIGH
 CVE-2019-17302
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user.
8.8HIGH
 CVE-2019-17301
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user.
7.2HIGH
 CVE-2019-17300
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user.
8.8HIGH
 CVE-2019-17299
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user.
7.2HIGH
 CVE-2019-17298
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
8.8HIGH
 CVE-2019-17297
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
8.8HIGH
 CVE-2019-17296
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user.
8.8HIGH
 CVE-2019-17295
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user.
8.8HIGH
 CVE-2019-17294
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user.
8.8HIGH
 CVE-2019-17293
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user.
8.8HIGH
 CVE-2019-17292
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user.
7.2HIGH
 CVE-2019-17319
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
8.8HIGH
 CVE-2019-17318
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
8.8HIGH
 CVE-2019-17317
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user.
7.2HIGH
 CVE-2019-17316
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.
8.8HIGH
 CVE-2019-17315
>= 7.9.0.0 and < 7.9.5.0
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.
7.2HIGH
 CVE-2019-14974
all versions
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
6.1MEDIUM
 CVE-2018-17784
>= 6.5.0 and <= 6.5.26
Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM Community Edition 6.5.26 could allow an unauthenticated, remo
6.1MEDIUM
 CVE-2014-3244
< 6.5.16
XML external entity (XXE) vulnerability in the RSSDashlet dashlet in SugarCRM before 6.5.17 allows remote attackers to read arbitr
9.8CRITICAL
 CVE-2018-6308
all versions
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.
9.8CRITICAL
 CVE-2018-5715
all versions
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
6.1MEDIUM
 CVE-2017-14510
<= 7.7.2.2
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.
6.1MEDIUM
 CVE-2017-14509
<= 7.7.2.2
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.
8.8HIGH
 CVE-2017-14508
<= 7.7.2.2
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.
8.8HIGH
 CVE-2015-5946
all versions
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a fi
7.8HIGH
 CVE-2011-4833
all versions
Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, an
 CVE-2011-3803
all versions
SugarCRM 6.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the inst
 CVE-2011-0745
<= 6.1.2
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate chec
 CVE-2010-0465
all versions
Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.
 CVE-2009-2978
<= 4.5.1o
SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to
 CVE-2009-2146
<= 5.2e
Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM)
 CVE-2008-2045
all versions
Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrar
 CVE-2006-6712
<= 4.5.0f
Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0f and earlier allows remote attackers to inject arbitrary we
 CVE-2006-5082
all versions
Unspecified vulnerability in Sugar Suite Open Source (SugarCRM) before 4.2.1 Patch C (20060917) has unspecified impact, related to
 CVE-2006-2460
all versions
Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as
 CVE-2005-4087
all versions
PHP remote file include vulnerability in acceptDecline.php in Sugar Suite Open Source Customer Relationship Management (SugarCRM)
 CVE-2005-4086
all versions
Directory traversal vulnerability in acceptDecline.php in Sugar Suite Open Source Customer Relationship Management (SugarCRM) 4.0
 CVE-2004-1228
<= 2.0.1c
The install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not removed after installation, which allows attackers to obtai
 CVE-2004-1227
<= 2.0.1c
Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and p
 CVE-2004-1226
<= 2.0.1c
SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that
 CVE-2004-1225
all versions
SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and ga
 CVE-2005-0266
all versions
Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HT
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh