CVE-2023-22952 is a vulnerability in Sugarcrm
Published on January 11, 2023
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
Known Exploited Vulnerability
This Multiple SugarCRM Products Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.
The following remediation steps are recommended / required by February 23, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2023-22952 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2023-22952
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-22952 are published in these products:
What versions of Sugarcrm are vulnerable to CVE-2023-22952?
-
Sugarcrm
Version 11.0.0
Fixed in Version 11.0.5
-
Sugarcrm
Version 12.0.0
Fixed in Version 12.0.2