CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2024-58258 – SugarCRM 14.0.0 Code Injection / SSRF / File Read
https://notcve.org/view.php?id=CVE-2024-58258
13 Jul 2025 — SugarCRM before 13.0.4 and 14.x before 14.0.1 allows SSRF in the API module because a limited type of code injection can occur. • https://packetstorm.news/files/id/206496 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 0CVE-2023-46815
https://notcve.org/view.php?id=CVE-2023-46815
27 Oct 2023 — An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this. Se descubrió un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. • https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 0CVE-2023-46816
https://notcve.org/view.php?id=CVE-2023-46816
27 Oct 2023 — An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this. Se descubrió un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. • https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010 • CWE-94: Improper Control of Generation of Code ('Code Injection') •