SugarCRM record SQL injection
| sugarcrm-record-sql-injection (18325) |  Medium Risk |
Description:
SugarCRM is vulnerable to SQL injection. By sending a specially-crafted URL request containing SQL code in the record variable, a remote attacker could obtain sensitive information, and add, modify or delete data in the backend database.
Consequences:
Data Manipulation
Remedy:
Upgrade to the latest version of SugarCRM (2.0.1a or later), available from the SugarCRM Web page. See References.
References:
- GulfTech Security Advisory December 1, 2004: Multiple Vulnerabilities In SugarCRM .
- SugarCRM Web page: CRM Software - SugarCRM - Commercia Open Source CRM Software - Sugar CRM.
- BID-11740: SugarCRM Multiple Input Validation Vulnerabilities
- CVE-2004-1225: SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality.
Platforms Affected:
- SugarCRM SugarCRM 1.5
- SugarCRM SugarCRM 2.0
Reported:
Dec 01, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net