Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-4833

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2011-4833
Last Modified 09 Feb 2012 12:00:00
Published 14 Dec 2011 10:57:34
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-4833

Summary

Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php.

Vulnerable Systems

Application

  • Sugarcrm 6.1.0

  • Sugarcrm 6.1.1

  • Sugarcrm 6.1.2

  • Sugarcrm 6.1.3

  • Sugarcrm 6.1.4

  • Sugarcrm 6.1.5

  • Sugarcrm 6.1.6

  • Sugarcrm 6.2.0

  • Sugarcrm 6.2.1

  • Sugarcrm 6.2.2

  • Sugarcrm 6.2.3

  • Sugarcrm 6.3.0

  • Sugarcrm 6.4


References

MISC - https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html

XF - sugarcrm-index-sql-injection(71586)

CONFIRM - http://www.sugarcrm.com/crm/support/bugs.html#issue_47839

CONFIRM - http://www.sugarcrm.com/crm/support/bugs.html#issue_47806

CONFIRM - http://www.sugarcrm.com/crm/support/bugs.html#issue_47805

CONFIRM - http://www.sugarcrm.com/crm/support/bugs.html#issue_47800

BUGTRAQ - 20111130 Sql injection in SugarCRM

OSVDB - 77459

SECTRACK - 1026369

SECUNIA - 47011


Last Updated: 27 May 2016 10:57:55