• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: SugarCRM Multiple Cross-Site Scripting Vulnerability

Severity: MODERATE

Description:

SugarCRM is a customer relationship management suite that is implemented in Java and PHP. It is available for Microsoft Windows operating systems and UNIX/Linux variants.

SugarCRM is prone to multiple cross-site scripting vulnerabilities. These issues are exposed through various URI parameters of the 'index.php' script. The affected parameters are not adequately sanitized of HTML and script code before being output into dynamically generated pages.

The 'return_module', 'return_action', 'name', 'module', and 'record' URI parameters are affected.

An attacker could exploit these issues by enticing a victim user into following a malicious link that contains hostile HTML and script code. Embedded HTML and script code would be able to access properties of the hosting Web site. This could be exploited to steal cookie-based authentication credentials.

The discoverer of these issues stated that some of the issues could theoretically allow for execution of arbitrary PHP code, though has not provided further information as to how this is possible. This BID will be updated accordingly if further details are provided.

Affected Products:

• SugarCRM SugarCRM 1.0.0
• SugarCRM SugarCRM 1.0.0f
• SugarCRM SugarCRM 1.0.0g
• SugarCRM SugarCRM 1.1.0
• SugarCRM SugarCRM 1.1.0a
• SugarCRM SugarCRM 1.1.0b
• SugarCRM SugarCRM 1.1.0c
• SugarCRM SugarCRM 1.1.0d
• SugarCRM SugarCRM 1.1.0e
• SugarCRM SugarCRM 1.1.0f
• SugarCRM SugarCRM 1.5.0d
• SugarCRM SugarCRM 2.0.1
• SugarCRM SugarCRM 2.0.1a

References:

• SugarCRM: SugarCRM Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.