Vulnerability Disclosures

Vulnerabilities discovered and disclosed by the technical team at Aura Information Security.

  • SageCRM - SQL Injection, Arbitrary File Upload
    CVE-2017-5219, CVE-2017-5218
    Publish date: January 24 2017
    Vendor and product: Sage - SageCRM
    Versions affected: 7.0.e and later

    A SQL injection and an arbitrary file upload vulnerability allow authenticated attackers to obtain access to the underlying database or obtain remote code execution.

  • Sitecore CRM 8.1
    CVE-2017-5965, CVE-2017-5966
    Publish date: May 19 2017
    Vendor and product: Sitecore - Sitecore
    Versions affected: 8.1 Rev 151207

    Authenticated vulnerabilities within Sitecore permit arbitary file upload and download.