CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2023-22952

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.931

EPSS Ranking 99.8%

CVSS Severity

CVSS v3 Score 8.8

Proposed Action

Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.

Ransomware Campaign

Unknown

References

http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/
http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22952

Products affected by CVE-2023-22952

Sugarcrm » Sugarcrm » Version: 11.0.0

cpe:2.3:a:sugarcrm:sugarcrm:11.0.0
Sugarcrm » Sugarcrm » Version: 12.0.0

cpe:2.3:a:sugarcrm:sugarcrm:12.0.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-22952

Products

Pricing

Contact Us