12.0.0

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sugarcrm

NVD

Published: 2023-06-17

Updated: 2023-08-23

Summary

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.

Vulnerable Configurations

Part	Description	Count
Application	Sugarcrm Sugarcrm Sugarcrm 12.0.0 Sugarcrm Sugarcrm 11.0.0	8

References

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/
http://seclists.org/fulldisclosure/2023/Aug/27
http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html