Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35811: sa-2023-008 - SugarCRM Support Site

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.

CVE
Open in Source
#sql#vulnerability#php

SugarCRM SupportPoliciesSecuritysugarcrm-sa-2023-008

Advisory ID: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008

Revision: 1.0

Last Updated: 2023-03-16

Status: Final

Summary

Risk Level: High

Vulnerability: SQL Injection

Description

Two SQL Injection vulnerabilities have been identified in the REST API. Using a specially crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can exploit these vulnerabilities.

We have not experienced any reported incidents to date related to these vulnerabilities.

Affected Products

The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.

Product

Fixed Release

SugarCRM 12.0
Enterprise, Sell, Serve

12.0.3

SugarCRM 11.0
Professional, Enterprise, Ultimate, Sell, Serve

11.0.6

Upgrades****On-Site Customers

It is strongly recommended to upgrade the affected products to the reported fixed release version. SugarCRM maintains different releases of its products, each with specific upgrade paths. Refer to the Installation and Upgrade Guide specific to your Sugar version and product to patch your instance. Contact Sugar Support for any further inquiries regarding upgrades.

SugarCloud Customers

Customers hosted on SugarCloud will receive an upgrade automatically.

Workaround

There is no workaround available for these vulnerabilities.

Publication History

2023-04-06

Update audience disclosure

2023-02-14

Internal disclosure

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.

Credits

These vulnerabilities have been responsibly disclosed by Egidio Romano and have been fixed by the SugarCRM Security Team.

Related news

SugarCRM 12.2.0 SQL Injection

SugarCRM versions 12.2.0 and below suffer from multiple remote SQL injection vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE