FreeBSD : sugarcrm -- multiple vulnerabilities (3b776502-f601-44e0-87cd-b63f1b9ae42a)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

sugarcrm developers report :

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before
7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition
6.5.26). Several areas have been identified in the Documents and
Emails module that could allow an authenticated user to perform SQL
injection, as demonstrated by a backslash character at the end of a
bean_id to modules/Emails/DetailView.php. An attacker could exploit
these vulnerabilities by sending a crafted SQL request to the affected
areas. An exploit could allow the attacker to modify the SQL database.
Proper SQL escaping has been added to prevent such exploits.

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before
7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition
6.5.26). A remote file inclusion has been identified in the Connectors
module allowing authenticated users to include remotely accessible
system files via a query string. Proper input validation has been
added to mitigate this issue.

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before
7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition
6.5.26). The WebToLeadCapture functionality is found vulnerable to
unauthenticated cross-site scripting (XSS) attacks. This attack vector
is mitigated by proper validating the redirect URL values being passed
along.

See also :

http://www.nessus.org/u?6737bac2
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/
http://www.nessus.org/u?6737bac2
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/
http://www.nessus.org/u?6737bac2
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/
http://www.nessus.org/u?0c54d97b

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 103475 ()

Bugtraq ID:

CVE ID: CVE-2017-14508
CVE-2017-14509
CVE-2017-14510

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now