Vulnerabilities discovered and disclosed by the technical team at Aura Information Security.
SageCRM - SQL Injection, Arbitrary File Upload
Publish date: January 24 2017
Vendor and product: Sage - SageCRM
Versions affected: 7.0.e and later
A SQL injection and an arbitrary file upload vulnerability allow authenticated attackers to obtain access to the underlying database or obtain remote code execution.
Sitecore CRM 8.1
Publish date: May 19 2017
Vendor and product: Sitecore - Sitecore
Versions affected: 8.1 Rev 151207
Authenticated vulnerabilities within Sitecore permit arbitary file upload and download.