An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.
References
Link | Resource |
---|---|
https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/ | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2023-10-27T00:00:00
Updated: 2023-10-27T03:28:43.072794
Reserved: 2023-10-27T00:00:00
Link: CVE-2023-46816
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-10-27T04:15:10.847
Modified: 2023-11-07T20:47:44.823
Link: CVE-2023-46816
JSON object: View
Redhat Information
No data.
CWE