← back
CVE-2023-22952

CVE-2023-22952

CVSS 8.8 HIGHEPSS 80.3%● KEVCWE-94
In short

SugarCRM versions before 12.0 Hotfix 91155 allow attackers to inject and execute malicious PHP code through email templates due to insufficient input validation. This can lead to complete system compromise and unauthorized access to sensitive data.

Technical detail

A remote attacker can exploit CWE-94 (Improper Control of Generation of Code) by crafting requests that inject arbitrary PHP code into EmailTemplates without proper input validation. The vulnerability allows code execution in the context of the application, potentially leading to complete server compromise and data breach.

Summary generated and translated by AI from the official description.
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
cve_referencepacketstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.htmlhttps://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22952