Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The database variable can be populated from the URL, and when supplied non-expected characters, can be manipulated to obtain access to the underlying database. The /CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'-- URI is a Proof of Concept.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
SageCRM SQL注入漏洞
Vulnerability Description
SageCRM是美国Sage公司的一套易于使用的、可扩展的客户关系管理解决方案。该方案可帮助用户随时访问企业内部的重要数据信息、帮助企业实现销售自动化、客户关怀,以及市场营销活动等。 SageCRM 7.3 SP3之前的7.x版本中的AP_DocumentUI.asp resource存在SQL注入漏洞。攻击者可利用该漏洞获取底层数据库的访问权限。
CVSS Information
N/A
Vulnerability Type
N/A