Description

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.

Remediation

References

CVE-2023-46816

Related Vulnerabilities

MODX Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2016-10038)

WordPress Plugin kk Star Ratings 'root' Parameter Remote File Include (1.7)

WordPress Plugin Affiliate Ads for Clickbank Products Cross-Site Scripting (1.6)

Moodle URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-35652)

Oracle Database Server CVE-2014-4289 Vulnerability (CVE-2014-4289)

Severity

High

Classification

CVE-2023-46816 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities