VIR Vulnerability Intelligence Relay

CVE-2017-14508

high
Published 2017-09-17 · Modified 2026-05-13
CVSS v3
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2
6.5
VIR risk
8.8

Description

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/

Application impact
VendorProductVersionsFixed
sugarcrmsugarcrm{"endIncluding":"7.7.2.2"}
sugarcrmsugarcrm6.5.26
sugarcrmsugarcrm7.8.0.0
sugarcrmsugarcrm7.8.0.1
sugarcrmsugarcrm7.8.1.0
sugarcrmsugarcrm7.8.2.0
sugarcrmsugarcrm7.8.2.1
sugarcrmsugarcrm7.9.0.0
sugarcrmsugarcrm7.9.0.1
sugarcrmsugarcrm7.9.1.0

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.