CVE-2017-14508

Name of the Vulnerable Software and Affected Versions SugarCRM versions prior to 7.7.2.3 SugarCRM versions 7.8.x prior to 7.8.2.2 SugarCRM versions 7.9.x prior to 7.9.2.0 Sugar Community Edition version 6.5.26

Description An issue was discovered in several areas of the Documents and Emails module that could allow an authenticated user to perform SQL injection. This can be demonstrated by a backslash character at the end of a bean id to "modules/Emails/DetailView.php". An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas, potentially allowing the attacker to modify the SQL database.

Recommendations For SugarCRM versions prior to 7.7.2.3, update to version 7.7.2.3 or later. For SugarCRM versions 7.8.x prior to 7.8.2.2, update to version 7.8.2.2 or later. For SugarCRM versions 7.9.x prior to 7.9.2.0, update to version 7.9.2.0 or later. For Sugar Community Edition version 6.5.26, update to a version that includes the fix for this issue.