Description

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.

Remediation

References

CVE-2023-46816

Related Vulnerabilities

WordPress Plugin MasterStudy LMS-for Online Courses and Education SQL Injection (3.2.5)

Oracle JRE CVE-2012-5069 Vulnerability (CVE-2012-5069)

SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-17310)

PostgreSQL Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Vulnerability (CVE-2015-0243)

WebLogic Missing Authentication for Critical Function Vulnerability (CVE-2024-21007)

Severity

High

Classification

CVE-2023-46816 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities