CVE-2017-5218

Name of the Vulnerable Software and Affected Versions SageCRM versions 7.x through 7.3 SP2

Description A SQL Injection issue was discovered. The AP DocumentUI.asp web resource includes Utilityfuncs.js, which crafts a SQL statement to identify the database in use with the current user's session. The database variable can be populated from the URL and manipulated to obtain access to the underlying database using non-expected characters. A Proof of Concept URI is /CRM/CustomPages/ACCPAC/AP DocumentUI.asp?SID=&database=1';WAITFOR DELAY '0:0:5'--

Recommendations For SageCRM versions 7.x through 7.3 SP2, update to version 7.3 SP3 or later to resolve the issue. As a temporary workaround, consider restricting access to the AP DocumentUI.asp web resource and the Utilityfuncs.js file to minimize the risk of exploitation. Avoid using the database variable in the affected API endpoint until the issue is resolved.