PT-2023-30232 · Sugarcrm · Sugarcrm
Egidio Romano
·
Published
2023-10-27
·
Updated
2023-11-08
·
CVE-2023-46816
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SugarCRM versions prior to 12.0.4
SugarCRM versions prior to 13.0.2
Description
A Server Site Template Injection (SSTI) issue has been identified in the GecControl action, allowing custom PHP code injection via the GetControl action due to missing input validation. An attacker with regular user privileges can exploit this issue.
Recommendations
For SugarCRM versions prior to 12.0.4, update to version 12.0.4 or later.
For SugarCRM versions prior to 13.0.2, update to version 13.0.2 or later.
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sugarcrm