PT-2023-25328 · Docusign+1 · Docusign+1
Egidio Romano
·
Published
2023-06-17
·
Updated
2023-08-23
·
CVE-2023-35810
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SugarCRM Enterprise versions prior to 11.0.6
SugarCRM Enterprise versions 12.x prior to 12.0.3
Description
A Second-Order PHP Object Injection issue has been identified in the DocuSign module. This occurs due to missing input validation, allowing custom PHP code to be injected and executed through crafted requests. Admin user privileges are required to exploit this issue. Editions other than Enterprise are also affected.
Recommendations
For SugarCRM Enterprise versions prior to 11.0.6, update to version 11.0.6 or later.
For SugarCRM Enterprise versions 12.x prior to 12.0.3, update to version 12.0.3 or later.
As a temporary workaround, consider restricting access to the DocuSign module until a patch is applied.
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Docusign
Sugarcrm Enterprise