CVE-2023-35811
SugarCRM 12.2.0 SQL Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.
Se ha descubierto un problema en SugarCRM Enterprise antes de v11.0.6 y v12.x antes de v12.0.3. Se han identificado dos vectores de inyección SQL en la API REST. Mediante el uso de peticiones manipuladas, código SQL personalizado puede ser inyectado a través de la API REST debido a la falta de validación de entrada. Los privilegios de un usuario normal pueden utilizarse para la explotación. Las ediciones distintas a Enterprise también se ven afectadas.
SugarCRM versions 12.2.0 and below suffer from multiple remote SQL injection vulnerabilities.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-06-17 CVE Reserved
- 2023-06-17 CVE Published
- 2023-08-23 First Exploit
- 2024-12-17 CVE Updated
- 2025-01-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html |
|
|
| http://seclists.org/fulldisclosure/2023/Aug/29 | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/174303 | 2023-08-23 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008 | 2023-08-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 11.0.0 < 11.0.6 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 11.0.0 < 11.0.6" | enterprise |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 11.0.0 < 11.0.6 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 11.0.0 < 11.0.6" | professional |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 11.0.0 < 11.0.6 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 11.0.0 < 11.0.6" | sell |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 11.0.0 < 11.0.6 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 11.0.0 < 11.0.6" | serve |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 11.0.0 < 11.0.6 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 11.0.0 < 11.0.6" | ultimate |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 12.0.0 < 12.0.3 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 12.0.0 < 12.0.3" | enterprise |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 12.0.0 < 12.0.3 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 12.0.0 < 12.0.3" | sell |
Affected
| ||||||
| Sugarcrm Search vendor "Sugarcrm" | Sugarcrm Search vendor "Sugarcrm" for product "Sugarcrm" | >= 12.0.0 < 12.0.3 Search vendor "Sugarcrm" for product "Sugarcrm" and version " >= 12.0.0 < 12.0.3" | serve |
Affected
| ||||||