CVE-2023-35811

Name of the Vulnerable Software and Affected Versions SugarCRM Enterprise versions prior to 11.0.6 SugarCRM Enterprise versions 12.x prior to 12.0.3

Description An issue has been discovered in the REST API of SugarCRM, where two SQL Injection vectors have been identified. This is due to missing input validation, allowing custom SQL code to be injected through crafted requests. Regular user privileges can be used for exploitation. The issue affects not only Enterprise editions but also other editions.

Recommendations For SugarCRM Enterprise versions prior to 11.0.6, update to version 11.0.6 or later to resolve the issue. For SugarCRM Enterprise versions 12.x prior to 12.0.3, update to version 12.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API until a patch is available.