Headline
CVE-2023-35810: sa-2023-009 - SugarCRM Support Site
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing input validation. Admin user privileges are required to exploit this vulnerability. Editions other than Enterprise are also affected.
SugarCRM SupportPoliciesSecuritysugarcrm-sa-2023-009
Advisory ID: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009
Revision: 1.1
Last Updated: 2023-04-13
Status: Final
Summary
Risk Level: High
Vulnerability: Second Order PHP Object Injection
Description
A Second Order PHP Object Injection vulnerability has been identified in the DocuSign module. Using a specially crafted request, custom PHP code can be injected through the DocuSign module because of missing input validation. Admin user privileges can exploit this vulnerability.
We have not experienced any reported incidents to date related to this vulnerability.
Affected Products
The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.
Product
Fixed Release
SugarCRM 12.0
Enterprise, Sell, Serve
12.0.3
SugarCRM 11.0
Professional, Enterprise, Ultimate, Sell, Serve
11.0.6
Upgrades****On-Site Customers
It is strongly recommended to upgrade the affected products to the reported fixed release version. SugarCRM maintains different releases of its products, each with specific upgrade paths. Refer to the Installation and Upgrade Guide specific to your Sugar version and product to patch your instance. Contact Sugar Support for any further inquiries regarding upgrades.
SugarCloud Customers
Customers hosted on SugarCloud will receive an upgrade automatically.
Workaround
There is no workaround available for this vulnerability.
Publication History
2023-04-06
Update audience disclosure
2023-02-14
Internal disclosure
A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.
Credits
The vulnerability has been responsibly disclosed by Egidio Romano and has been fixed by the SugarCRM Security Team.
Related news
SugarCRM versions 12.2.0 and below suffer from a PHP object injection vulnerability.