cve/2023/CVE-2023-22952.md

CVE-2023-22952

Description

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

POC

Reference

• http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html

Github

• https://github.com/ARPSyndicate/cvemon
• https://github.com/Ostorlab/KEV
• https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
• https://github.com/h00die-gr3y/Metasploit
• https://github.com/jakabakos/PHP-payload-injection-to-PNGs
• https://github.com/santosomar/kev_checker