An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:08
| Type | Values Removed | Values Added |
|---|---|---|
| References | () http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html - | |
| References | () http://seclists.org/fulldisclosure/2023/Aug/29 - | |
| References | () https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/ - Vendor Advisory |
23 Aug 2023, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
23 Aug 2023, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
26 Jun 2023, 18:18
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:* cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:* cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:* cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:* cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:* |
|
| First Time |
Sugarcrm
Sugarcrm sugarcrm |
|
| CWE | CWE-89 | |
| References | (MISC) https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/ - Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
17 Jun 2023, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-06-17 22:15
Updated : 2024-11-21 08:08
NVD link : CVE-2023-35811
Mitre link : CVE-2023-35811
CVE.ORG link : CVE-2023-35811
JSON object : View
Products Affected
sugarcrm
- sugarcrm
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')