漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
N/A
Vulnerability Description
A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The database variable can be populated from the URL, and when supplied non-expected characters, can be manipulated to obtain access to the underlying database. The /CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'-- URI is a Proof of Concept.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
SageCRM SQL注入漏洞
Vulnerability Description
SageCRM是美国Sage公司的一套易于使用的、可扩展的客户关系管理解决方案。该方案可帮助用户随时访问企业内部的重要数据信息、帮助企业实现销售自动化、客户关怀,以及市场营销活动等。 SageCRM 7.3 SP3之前的7.x版本中的AP_DocumentUI.asp resource存在SQL注入漏洞。攻击者可利用该漏洞获取底层数据库的访问权限。
CVSS Information
N/A
Vulnerability Type
N/A