Description
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.
Remediation
References
Related Vulnerabilities
Joomla CVE-2012-0836 Vulnerability (CVE-2012-0836)
Django Inefficient Regular Expression Complexity Vulnerability (CVE-2023-36053)
WordPress Plugin Tom M8te Directory Traversal (1.5.3)
WordPress Plugin BuddyPress Security Bypass (5.1.0)
WordPress Plugin LearnPress-WordPress LMS PHP Object Injection (4.1.7.1)