CVE-2011-4833
HIGH severity · CVSS 7.5 · SQL injection
7.5CVSS HIGH
Summary
Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)2%
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://secunia.com/advisories/47011Advisory
- http://www.securityfocus.com/archive/1/520685/100/0/threaded
- http://securitytracker.com/id?1026369Exploit
- http://www.osvdb.org/77459Exploit
- http://www.sugarcrm.com/crm/support/bugs.html#issue_47800Exploit
- http://www.sugarcrm.com/crm/support/bugs.html#issue_47805Exploit
- http://www.sugarcrm.com/crm/support/bugs.html#issue_47806Exploit
- http://www.sugarcrm.com/crm/support/bugs.html#issue_47839Exploit