Description

SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.

Remediation

References

CVE-2011-0745

Related Vulnerabilities

Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2007-5621)

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-33939)

WordPress Plugin Thrive Leads Security Bypass (2.3.9.3)

Jenkins Insufficient Session Expiration Vulnerability (CVE-2019-1003003)

WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (4.6.12)

Severity

Medium

Classification

CVE-2011-0745 CWE-20

Tags

Missing Update Known Vulnerabilities