CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-46815
https://notcve.org/view.php?id=CVE-2023-46815
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this. Se descubrió un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. • https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-46816
https://notcve.org/view.php?id=CVE-2023-46816
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this. Se descubrió un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. • https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35810 – SugarCRM 12.2.0 PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-35810
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing input validation. Admin user privileges are required to exploit this vulnerability. Editions other than Enterprise are also affected. • http://packetstormsecurity.com/files/174302/SugarCRM-12.2.0-PHP-Object-Injection.html http://seclists.org/fulldisclosure/2023/Aug/28 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35809 – SugarCRM 12.2.0 Bean Manipulation
https://notcve.org/view.php?id=CVE-2023-35809
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected. • http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html http://seclists.org/fulldisclosure/2023/Aug/27 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007 •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35808 – SugarCRM 12.2.0 Shell Upload
https://notcve.org/view.php?id=CVE-2023-35808
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected. • http://packetstormsecurity.com/files/174300/SugarCRM-12.2.0-Shell-Upload.html http://seclists.org/fulldisclosure/2023/Aug/26 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006 • CWE-434: Unrestricted Upload of File with Dangerous Type •