CVE-2020-28956: 
SugarCRM vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in the Sales module of SugarCRM v6.5.18. The vulnerability was assigned CVE-2020-28956 and was disclosed on November 19, 2020. The vulnerability affects the primary address state and alternate address state input fields in the Sales module (MITRE CVE, Vulnerability Lab).

The vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the primary address state or alternate address state input fields. The attack vector is persistent and can be exploited through POST requests. The vulnerability occurs because when changing the main address, the alternate address state input is not properly sanitized, allowing malicious code to appear in the front-end. The attack is limited to registered user accounts with access to the contacts module (Vulnerability Lab).

Successful exploitation of the vulnerability can result in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources, and persistent manipulation of affected application modules. The vulnerability affects both the Sales and Support modules, with the malicious code executing immediately after saving in both the primary address state and alternate address state sections (Vulnerability Lab).

The vulnerability can be mitigated by restricting the input fields and disallowing special characters for the main name values displayed in the list, escaping the input transmitted from the alternate and primary inputs, and parsing and sanitizing the output location to ensure it's filtered securely (Vulnerability Lab).