Description
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.
Remediation
References
Related Vulnerabilities
Oracle Application Server Other Vulnerability (CVE-2007-3859)
Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-5321)
WordPress Plugin WP TripAdvisor Review Slider Cross-Site Scripting (11.8)
WordPress 2.6.2 Remote Code Execution Vulnerability (0.70 - 2.6.2)
WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-2432)