← back
CVE-2023-22952

CVE-2023-22952

CVSS 8.8 HIGHEPSS 80.3%● KEVCWE-94
Vexday Risk Score
93Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 80.3%KEV simPoC públicaPatch
Lifecycle
11 Jan 2023Published on NVD
02 Feb 2023Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

SugarCRM versions before 12.0 Hotfix 91155 allow attackers to inject and execute malicious PHP code through email templates due to insufficient input validation. This can lead to complete system compromise and unauthorized access to sensitive data.

Technical detail

A remote attacker can exploit CWE-94 (Improper Control of Generation of Code) by crafting requests that inject arbitrary PHP code into EmailTemplates without proper input validation. The vulnerability allows code execution in the context of the application, potentially leading to complete server compromise and data breach.

Summary generated and translated by AI from the official description.
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
cve_referencepacketstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.htmlhttps://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22952