Vulnerability Details CVE-2023-22952
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.938
EPSS Ranking 99.8%
CVSS Severity
CVSS v3 Score 8.8
Proposed Action
Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/
- http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html
- https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/