Headline
CVE-2023-22952: sa-2023-001 - SugarCRM Support Site
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
SugarCRM SupportPoliciesSecuritysugarcrm-sa-2023-001
Advisory ID: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001
Revision: 1.0
Last Updated: 2023-01-10
Status: Final
Summary
Risk Level: High
Vulnerability: RCE (Remote Code Execution)
Description
A Remote Code Execution vulnerability has been identified in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates because of missing input validation. Any user privileges can exploit this vulnerability.
Affected Products
The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.
Product
Fixed Release
SugarCRM 12.2
Enterprise, Sell, Serve
12.2.0
Hotfixed in SugarCloud
SugarCRM 12.1
Enterprise, Sell, Serve
12.1.0
Hotfixed in SugarCloud
SugarCRM 12.0
Enterprise, Sell, Serve
12.0.
Hotfix 91155 12.0.0-12.0.1 (Ent+Ult) v1.1
Hotfix 91155 12.0.0-12.0.1 (Pro) v1.1
Hotfixed in SugarCloud
SugarCRM 11.3
Professional, Enterprise, Ultimate, Sell, Serve
11.3.0
Hotfixed in SugarCloud
SugarCRM 11.2
Professional, Enterprise, Ultimate, Sell, Serve
11.2.0
Hotfixed in SugarCloud
SugarCRM 11.1
Professional, Enterprise, Ultimate, Sell, Serve
11.1.0
Hotfixed in SugarCloud
SugarCRM 11.0
Professional, Enterprise, Ultimate, Sell, Serve
11.0.4
Hotfix 91155 11.0.0-11.0.5 (Ent+Ult) v1.1
Hotfix 91155 11.0.0-11.0.5 (Pro) v1.1
Hotfixed in SugarCloud
Upgrades****On-Site Customers
For more information on mitigation, please contact Sugar Support or refer to our FAQ.
SugarCloud and SugarCRM Managed Hosting Customers
Hotfix has been applied to all Sugar supported versions.
Workaround
There is no workaround available for this vulnerability.
Publication History
2023-01-10
Update audience disclosure
2023-01-03
Internal disclosure
A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.
Credits
The vulnerability has been responsibly disclosed by several SugarCRM partners and has been fixed by the SugarCRM Security Team.
Related news
This Metasploit module exploits CVE-2023-22952, a remote code execution vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. "Oracle
A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That's according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue in question relates to