CVE-2018-6308

Name of the Vulnerable Software and Affected Versions SugarCRM Community Edition versions 6.5.26 and below

Description The issue concerns SQL injections in multiple parameters across various modules. Specifically, the track parameter in modulesCampaignsTracker.php and modulesCampaignsutils.php, the default currency name parameter in modulesConfiguratorcontroller.php and modulesCurrenciesCurrency.php, the duplicate parameter in modulesContactsShowDuplicates.php, the mergecur parameter in modulesCurrenciesindex.php and modulesOpportunitiesOpportunity.php, and the load signed id parameter in modulesDocumentsDocument.php are vulnerable.

Recommendations For SugarCRM Community Edition versions 6.5.26 and below, consider disabling the affected parameters, such as track, default currency name, duplicate, mergecur, and load signed id, until a patch is available. Restrict access to the vulnerable modules, including Campaigns, Configurator, Contacts, Currencies, Opportunities, and Documents, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.