SQL Injection in SugarCRM
|Vulnerable Versions:||Community Edition 6.3.0RC1 and probably prior|
|Tested Version:||Community Edition 6.3.0RC1|
|Advisory Publication:||October 5, 2011 [without technical details]|
|Vendor Notification:||October 5, 2011|
|Public Disclosure:||November 30, 2011|
|Latest Update:||November 30, 2011|
|Vulnerability Type:||SQL Injection [CWE-89]|
|CVSSv2 Base Score:||7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge SA Security Research Lab has discovered vulnerability in SugarCRM, which can be exploited to perform SQL injection attacks.
|This was addressed as a part of the following versions of SugarCRM.|
6.1.7 ( http://www.sugarcrm.com/crm/support/bugs.html#issue_47839 )
6.2.4 ( http://www.sugarcrm.com/crm/support/bugs.html#issue_47800 )
6.3.0RC3 ( http://www.sugarcrm.com/crm/support/bugs.html#issue_47805 )
6.4.0beta1 ( http://www.sugarcrm.com/crm/support/bugs.html#issue_47806 )
Upgrading to any of these versions will resolve the issue. Downloads are available at http://www.sugarforge.org/frs/?group_id=6.
| High-Tech Bridge Advisory HTB23051 - https://www.immuniweb.com/advisory/HTB23051 - SQL Injection Vulnerability in SugarCRM|
 SugarCRM - sugarcrm.com - Sugar is an affordable and easy to use customer relationship management (CRM) platform, designed to help your business communicate with prospects, share sales information, close deals and keep customers happy.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.