CVE-2023-46816

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.

Published: Oct 27, 2023
Updated: Nov 8, 2023
CVE: CVE-2023-46816
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
sugarcrm / sugarcrm	13.0.0	13.0.0.x
sugarcrm / sugarcrm	13.0.1	13.0.1.x
sugarcrm / sugarcrm	12.0.0	12.0.4

https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/

Vulnerability Database

CVE-2023-46816