[原文]SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality.
SugarCRM is reported prone to multiple vulnerabilites arising from insufficient sanitization of user-supplied input. These issues can a remote attacker to carry out cross-site scripting, HTML injection, SQL injection and directory traversal attacks.
SugarCRM Multiple Module record Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
SugarCRM contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'record' parameter in multiple modules is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.
Upgrade to version 2.0.1c or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.