CVE-2017-5219 is a critical SageCRM issue publicly disclosed on 2017-02-02. The vulnerable Component Manager accepted ZIP uploads containing a valid .ecf component file, then extracted content in a way that could be abused for path traversal. As described in the CVE record, an attacker could place additional files outside the intended inf directory and into the webroot, enabling remote interaction with th [truncated]
CVE-2017-5218 is a high-severity SQL injection issue in SageCRM 7.x before 7.3 SP3. The vulnerable AP_DocumentUI.asp web resource includes Utilityfuncs.js when a file is opened or viewed, and that code builds a SQL statement used to identify the database for the current user’s session. According to the CVE record, the database value can be influenced through the URL and manipulated with unexpected charact [truncated]
