aboutsummaryrefslogtreecommitdiffstats
path: root/security/vuxml/vuln.xml
diff options
context:
space:
mode:
authorswills <swills@FreeBSD.org>2017-09-27 05:32:56 +0800
committerswills <swills@FreeBSD.org>2017-09-27 05:32:56 +0800
commita3cd9cfa7fe658c4e61eb454226f99bebbc84d5d (patch)
tree91b90d44960a03c7feeb4abc67feab7d639f8142 /security/vuxml/vuln.xml
parentdcd6d9e1099ce06c735340530c2f2a8d085a0818 (diff)
downloadfreebsd-ports-gnome-a3cd9cfa7fe658c4e61eb454226f99bebbc84d5d.tar.gz
freebsd-ports-gnome-a3cd9cfa7fe658c4e61eb454226f99bebbc84d5d.tar.zst
freebsd-ports-gnome-a3cd9cfa7fe658c4e61eb454226f99bebbc84d5d.zip
Document sugarcrm issue
Diffstat (limited to 'security/vuxml/vuln.xml')
-rw-r--r--security/vuxml/vuln.xml35
1 files changed, 35 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 8c0af8b48db2..930bd2f7b5f8 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,41 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="3b776502-f601-44e0-87cd-b63f1b9ae42a">
+ <topic>sugarcrm -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>sugarcrm</name>
+ <range><le>6.5.26</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>sugarcrm developers reports:</p>
+ <blockquote cite="https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/">
+ <p>An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.</p>
+ <p>An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a query string. Proper input validation has been added to mitigate this issue.</p>
+ <p>An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/</url>
+ <url>https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/</url>
+ <url>https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/</url>
+ <url>https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/</url>
+ <url>https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/</url>
+ <url>https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/</url>
+ <cvename>CVE-2017-14508</cvename>
+ <cvename>CVE-2017-14509</cvename>
+ <cvename>CVE-2017-14510</cvename>
+ </references>
+ <dates>
+ <discovery>2017-9-17</discovery>
+ <entry>2017-9-26</entry>
+ </dates>
+ </vuln>
+
<vuln vid="b2952517-07e5-4d19-8850-21c5b7e0623f">
<topic>libzip -- denial of service</topic>
<affects>