Vulnerability Disclosures

Vulnerabilities discovered and disclosed by the technical team at Aura Information Security.

Name and Description CVE(s) Publish Date Vendor and Product Affected Versions
SageCRM - SQL Injection, Arbitrary File Upload

A SQL injection and an arbitrary file upload vulnerability allow authenticated attackers to obtain access to the underlying database or obtain remote code execution.

CVE-2017-5219, CVE-2017-5218 January 24 2017 Sage - SageCRM 7.0.e and later
VMware Horizon DaaS - Improper IP Address Validation

Insecure data validation during RDP file creation allows an attacker to manipulate client users into connecting to a malicious server.

VMSA-2017-0002, CVE-2017-4897 March 10 2017 VMware - Horizon Daas Platform 6.1.x
Sitecore CRM 8.1

Authenticated vulnerabilities within Sitecore permit arbitary file upload and download.

CVE-2017-5965, CVE-2017-5966 May 19 2017 Sitecore - Sitecore 8.1 Rev 151207