First published: Sat Jun 17 2023(Updated: )
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Sugarcrm Sugarcrm | >=11.0.0<11.0.6 | |
Sugarcrm Sugarcrm | >=11.0.0<11.0.6 | |
Sugarcrm Sugarcrm | >=11.0.0<11.0.6 | |
Sugarcrm Sugarcrm | >=11.0.0<11.0.6 | |
Sugarcrm Sugarcrm | >=11.0.0<11.0.6 | |
Sugarcrm Sugarcrm | >=12.0.0<12.0.3 | |
Sugarcrm Sugarcrm | >=12.0.0<12.0.3 | |
Sugarcrm Sugarcrm | >=12.0.0<12.0.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-35811 is a vulnerability discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3 that allows SQL Injection through the REST API.
CVE-2023-35811 has a severity score of 8.8 (high).
The affected software includes SugarCRM Enterprise versions before 11.0.6 and 12.x before 12.0.3.
SQL Injection can be exploited through the REST API by using crafted requests that contain custom SQL code.
Yes, regular user privileges can be used to exploit CVE-2023-35811.