CVE-2023-35811 : An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.

Published 2023-06-17 22:15:10

Updated 2023-08-23 16:15:09

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2023-35811

Sugarcrm » Sugarcrm » Enterprise Edition
Versions from including (>=) 12.0.0 and before (<) 12.0.3
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Serve Edition
Versions from including (>=) 12.0.0 and before (<) 12.0.3
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Ultimate Edition
Versions from including (>=) 11.0.0 and before (<) 11.0.6
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:ultimate:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Professional Edition
Versions from including (>=) 11.0.0 and before (<) 11.0.6
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:professional:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Serve Edition
Versions from including (>=) 11.0.0 and before (<) 11.0.6
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:serve:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Sell Edition
Versions from including (>=) 12.0.0 and before (<) 12.0.3
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Sell Edition
Versions from including (>=) 11.0.0 and before (<) 11.0.6
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:sell:*:*:*
Matching versions
Sugarcrm » Sugarcrm » Enterprise Edition
Versions from including (>=) 11.0.0 and before (<) 11.0.6
cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-35811

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-35811

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-35811

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-35811

http://packetstormsecurity.com/files/174303/SugarCRM-12.2.0-SQL-Injection.html

SugarCRM 12.2.0 SQL Injection ≈ Packet Storm
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/

sugarcrm-sa-2023-008 - SugarCRM Support Site
Vendor Advisory
http://seclists.org/fulldisclosure/2023/Aug/29

Full Disclosure: [KIS-2023-08] SugarCRM <= 12.2.0 Two SQL Injection Vulnerabilities

Jump to

Vulnerability Details : CVE-2023-35811

Products affected by CVE-2023-35811

Exploit prediction scoring system (EPSS) score for CVE-2023-35811

CVSS scores for CVE-2023-35811

CWE ids for CVE-2023-35811

References for CVE-2023-35811