PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5218 Sagecrm CVE debrief

CVE-2017-5218 is a high-severity SQL injection issue in SageCRM 7.x before 7.3 SP3. The vulnerable AP_DocumentUI.asp web resource includes Utilityfuncs.js when a file is opened or viewed, and that code builds a SQL statement used to identify the database for the current user’s session. According to the CVE record, the database value can be influenced through the URL and manipulated with unexpected characters, creating a path to unauthorized database access. The CVE entry and NVD record both indicate that the affected range includes SageCRM 7.0, 7.1, 7.2, 7.3, 7.3 SP1, and 7.3 SP2, with 7.3 SP3 identified as the fixed boundary in the description. The published PoC URI shows that the issue is reachable through a valid session and network access, which aligns with the CVSS 3.0 vector indicating network attack, low attack complexity, low privileges, no user interaction, and high impacts to confidentiality, integrity, and availability.

Vendor
Sagecrm
Product
CVE-2017-5218
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-02
Original CVE updated
2026-05-13
Advisory published
2017-02-02
Advisory updated
2026-05-13

Who should care

Administrators and security teams running SageCRM 7.x, especially versions 7.0 through 7.3 SP2, should treat this as a priority remediation item. It also matters to teams that expose SageCRM to internal or external users with valid sessions, because the issue is reachable through an authenticated web request.

Technical summary

AP_DocumentUI.asp loads Utilityfuncs.js, and the script constructs a SQL statement to determine the database used for the current session. The CVE description says the database parameter can be populated from the URL and, if supplied with non-expected characters, can be manipulated. NVD maps this to CWE-89 and a CVSS 3.0 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating a serious authenticated SQL injection risk.

Defensive priority

High

Recommended defensive actions

  • Upgrade SageCRM to 7.3 SP3 or later, as identified in the CVE description.
  • Review and restrict access to SageCRM endpoints that accept session-linked parameters, especially AP_DocumentUI.asp.
  • Validate that application inputs derived from the URL are parameterized or otherwise safely handled before reaching SQL queries.
  • Audit for anomalous requests to /CRM/CustomPages/ACCPAC/AP_DocumentUI.asp, especially requests carrying unexpected database parameter content.
  • If upgrade cannot be completed immediately, apply compensating controls such as tighter access restrictions, WAF rules, and session monitoring while remediation is underway.

Evidence notes

Source timing is based on the supplied CVE and NVD metadata: published 2017-02-02T07:59:00.130Z and modified 2026-05-13T00:24:29.033Z. The CVE description states the issue affects SageCRM 7.x before 7.3 SP3 and references a proof-of-concept URI. NVD lists affected CPEs for SageCRM 7.0, 7.1, 7.2, 7.3, 7.3 SP1, and 7.3 SP2, and classifies the weakness as CWE-89. External corroboration in the supplied references includes a third-party advisory and a SecurityFocus entry.

Official resources

CVE published 2017-02-02 and last modified 2026-05-13. The supplied record identifies a public proof-of-concept URI and notes affected SageCRM 7.x releases before 7.3 SP3.