CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 0CVE-2023-46815
https://notcve.org/view.php?id=CVE-2023-46815
27 Oct 2023 — An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with regular user privileges can exploit this. Se descubrió un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. • https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 0CVE-2023-46816
https://notcve.org/view.php?id=CVE-2023-46816
27 Oct 2023 — An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this. Se descubrió un problema en SugarCRM 12 anterior a 12.0.4 y 13 anterior a 13.0.2. • https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010 • CWE-94: Improper Control of Generation of Code ('Code Injection') •