CVE-2019-14974

MEDIUM NUCLEI

SugarCRM Enterprise 9.0.0 - Cross-Site Scripting via desktop_url Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-14974. PoCs published by Ilca Lucian Florin, conan-sudo. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing a reflected XSS vulnerability in SugarCRM Enterprise 9.0.0. The vulnerability allows an attacker to craft a malicious URL that, when clicked, executes arbitrary JavaScript in the victim's browser due to improper input sanitization.

Description

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.

Exploits (2)

exploitdb WRITEUP
by Ilca Lucian Florin · textwebappsphp
https://www.exploit-db.com/exploits/47247

This is a writeup describing a reflected XSS vulnerability in SugarCRM Enterprise 9.0.0. The vulnerability allows an attacker to craft a malicious URL that, when clicked, executes arbitrary JavaScript in the victim's browser due to improper input sanitization.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SugarCRM Enterprise 9.0.0
No auth needed
Prerequisites: Victim interaction (clicking a malicious link)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 4 stars
by conan-sudo · poc
https://github.com/conan-sudo/CVE-2019-14974-bypass

This repository contains a Nuclei template for detecting CVE-2019-14974, a reflected XSS vulnerability in SugarCRM Enterprise 9.0.0. The template sends a crafted GET request to the vulnerable endpoint and checks for specific response patterns to confirm the vulnerability.

Classification
Scanner 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SugarCRM Enterprise 9.0.0
No auth needed
Prerequisites: Access to the target SugarCRM instance
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
MEDIUMby madrobot
Shodan: http.html:"sugarcrm inc. all rights reserved" || http.title:sugarcrm
FOFA: body="sugarcrm inc. all rights reserved" || title=sugarcrm

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47247

Scores

CVSS v3 6.1
EPSS 0.3104
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
sugarcrm/sugarcrm 9.0.0
Published Aug 14, 2019
Tracked Since Feb 18, 2026