CVE-2019-14974
published 2019-08-14CVE-2019-14974: SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
PriorityP347medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
31.04%
98.0th percentile
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sugarcrm | sugarcrm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(document.cookie);//itms://↗
- →Look for HTTP GET requests to /mobile/error-not-supported-platform.html with a 'desktop_url' parameter containing a javascript: URI scheme, optionally followed by ;//itms:// to bypass filters. ↗
- →Detect the vulnerable SugarCRM page by matching the response body for the string: url = window.location.search.split("?desktop_url=")[1] — presence of this string confirms the unpatched endpoint is live. ↗
- →Use Shodan/FOFA to identify exposed SugarCRM instances as potential targets: search for http.html:"sugarcrm inc. all rights reserved" or http.title:sugarcrm. ↗
- ·Exploitation requires user interaction — the victim must click the crafted link and then click 'FULL VERSION OF WEBSITE' on the resulting page to trigger the XSS payload. ↗
- ·The vulnerability is unauthenticated (no login required), meaning any unauthenticated attacker can craft and distribute the malicious link. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
exploitdb·2019-08-14
CVE-2019-14974 SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
---
# Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise
# Google Dork: N/A
# Date: 11.08.2019
# Exploit Author: Ilca Lucian Florin
# Vendor Homepage: https://www.sugarcrm.com
# Version: 9.0.0
# Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76
# CVE : 2019-14974
The application fails to sanitize user input on https://sugarcrm-qms.XXX.com/mobile/error-not-supported-platform.html and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser.
Steps to reproduce:
1.Attacker will craft a malicious payload and create a legitimate link with the payload included;
2. Attacker will send the link to the victim;
3. Upon c
Nuclei
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-14974 [MEDIUM] SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
SugarCRM Enterprise 9.0.0 contains a cross-site scripting vulnerability via mobile/error-not-supported-platform.html?desktop_url.
Template:
id: CVE-2019-14974
info:
name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
author: madrobot
severity: medium
description: SugarCRM Enterprise 9.0.0 contains a cross-site scripting vulnerability via mobile/error-not-supported-platform.html?desktop_url.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Apply the latest security patch or upgrade to a non-vulnerable version of SugarCRM Enterprise.
refere
2019-08-14
Published