CVE-2023-35809

HIGH

SugarCRM 11.0.0-11.0.5 12.0.0-12.0.2 - Authenticated PHP Code Injection via REST API

Title source: llm

Description

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.

References (3)

Core 3

Core References

Vendor Advisory

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/

Mailing List mailing-list

http://seclists.org/fulldisclosure/2023/Aug/27

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/174301/SugarCRM-12.2.0-Bean-Manipulation.html

Scores

CVSS v3 8.8

EPSS 0.0126

EPSS Percentile 65.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

sugarcrm/sugarcrm 11.0.0 - 11.0.6 (5 CPE variants)

Published Jun 17, 2023

Tracked Since Feb 18, 2026