CVE-2023-46815

Name of the Vulnerable Software and Affected Versions SugarCRM versions prior to 12.0.4 SugarCRM versions prior to 13.0.2

Description An issue has been discovered in the Notes module, allowing for an Unrestricted File Upload. This is due to missing input validation, which enables an attacker to inject custom PHP code via a crafted request. The issue can be exploited by an attacker with regular user privileges.

Recommendations For versions prior to 12.0.4, update to version 12.0.4 or later. For versions prior to 13.0.2, update to version 13.0.2 or later. As a temporary workaround, consider disabling the Notes module until a patch is available. Restrict access to the set note attachment function to minimize the risk of exploitation.