cvedb.io
CVE-2017-5218
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2017-02-02T07:59:00.130 · Last modified 2026-06-17T01:20:11.347

Summary

A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The database variable can be populated from the URL, and when supplied non-expected characters, can be manipulated to obtain access to the underlying database. The /CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'-- URI is a Proof of Concept.

Affected products

sagecrm — sagecrm

Does this affect you?

Add your gear to cvedb and we'll alert you only when sagecrm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.