6.1

CVE-2017-14510

Exploit
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SugarcrmSugarcrm Version <= 7.7.2.2
SugarcrmSugarcrm Version6.5.26 SwEditioncommunity
SugarcrmSugarcrm Version7.8.0.0
SugarcrmSugarcrm Version7.8.0.1
SugarcrmSugarcrm Version7.8.1.0
SugarcrmSugarcrm Version7.8.2.0
SugarcrmSugarcrm Version7.8.2.1
SugarcrmSugarcrm Version7.9.0.0
SugarcrmSugarcrm Version7.9.0.1
SugarcrmSugarcrm Version7.9.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.42% 0.694
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/
Third Party Advisory
Exploit
https://www.synology.com/support/security/Synology_SA_17_53_SugarCRM
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/
Vendor Advisory