CVE-2018-6308 - OpenCVE

Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sugarcrm	Sugarcrm

Configuration 1 [-]

cpe:2.3:a:sugarcrm:sugarcrm:6.5.26:*:*:*:community:*:*:*

References

Link	Resource
http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf	Exploit Technical Description Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-01-25T08:00:00

Updated: 2018-01-25T07:57:01

Reserved: 2018-01-25T00:00:00

Link: CVE-2018-6308

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-01-25T08:29:00.383

Modified: 2018-02-12T18:37:43.407

Link: CVE-2018-6308

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-01-25T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\\Campaigns\\Tracker.php and modules\\Campaigns\\utils.php, the default_currency_name parameter to modules\\Configurator\\controller.php and modules\\Currencies\\Currency.php, the duplicate parameter to modules\\Contacts\\ShowDuplicates.php, the mergecur parameter to modules\\Currencies\\index.php and modules\\Opportunities\\Opportunity.php, and the load_signed_id parameter to modules\\Documents\\Document.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-25T07:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-6308", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\\Campaigns\\Tracker.php and modules\\Campaigns\\utils.php, the default_currency_name parameter to modules\\Configurator\\controller.php and modules\\Currencies\\Currency.php, the duplicate parameter to modules\\Contacts\\ShowDuplicates.php, the mergecur parameter to modules\\Currencies\\index.php and modules\\Opportunities\\Opportunity.php, and the load_signed_id parameter to modules\\Documents\\Document.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf", "refsource": "MISC", "url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-6308", "datePublished": "2018-01-25T08:00:00", "dateReserved": "2018-01-25T00:00:00", "dateUpdated": "2018-01-25T07:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:6.5.26:*:*:*:community:*:*:*", "matchCriteriaId": "D3E99EB2-05BF-4575-9170-D9014B2D6B5A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\\Campaigns\\Tracker.php and modules\\Campaigns\\utils.php, the default_currency_name parameter to modules\\Configurator\\controller.php and modules\\Currencies\\Currency.php, the duplicate parameter to modules\\Contacts\\ShowDuplicates.php, the mergecur parameter to modules\\Currencies\\index.php and modules\\Opportunities\\Opportunity.php, and the load_signed_id parameter to modules\\Documents\\Document.php."}, {"lang": "es", "value": "Existen m\u00faltiples inyecciones SQL en SugarCRM Community Edition 6.5.26 y anteriores mediante el par\u00e1metro track en modules\\Campaigns\\Tracker.php y modules\\Campaigns\\utils.php, el par\u00e1metro default_currency_name en modules\\Configurator\\controller.php y modules\\Currencies\\Currency.php, el par\u00e1metro duplicate en modules\\Contacts\\ShowDuplicates.php, el par\u00e1metro mergecur en modules\\Currencies\\index.php y modules\\Opportunities\\Opport2unity.php y el par\u00e1metro load_signed_id en modules\\Documents\\Document.php."}], "id": "CVE-2018-6308", "lastModified": "2018-02-12T18:37:43.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-25T08:29:00.383", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "http://www.defensecode.com/advisories/DC-2018-01-011_SugarCRM_Community_Edition_Advisory.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}