CVE-2023-35808

Name of the Vulnerable Software and Affected Versions SugarCRM Enterprise versions prior to 11.0.6 SugarCRM Enterprise versions 12.x prior to 12.0.3

Description An Unrestricted File Upload issue has been identified in the Notes module due to missing input validation. This allows custom PHP code to be injected and executed through crafted requests, using regular user privileges. The issue affects not only Enterprise editions but also other editions.

Recommendations For SugarCRM Enterprise versions prior to 11.0.6, update to version 11.0.6 or later to resolve the issue. For SugarCRM Enterprise versions 12.x prior to 12.0.3, update to version 12.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Notes module until a patch is applied.