8.8

CVE-2023-35808

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input validation. Regular user privileges can be used to exploit this vulnerability. Editions other than Enterprise are also affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SugarcrmSugarcrm SwEditionenterprise Version >= 11.0.0 < 11.0.6
SugarcrmSugarcrm SwEditionprofessional Version >= 11.0.0 < 11.0.6
SugarcrmSugarcrm SwEditionsell Version >= 11.0.0 < 11.0.6
SugarcrmSugarcrm SwEditionserve Version >= 11.0.0 < 11.0.6
SugarcrmSugarcrm SwEditionultimate Version >= 11.0.0 < 11.0.6
SugarcrmSugarcrm SwEditionenterprise Version >= 12.0.0 < 12.0.3
SugarcrmSugarcrm SwEditionsell Version >= 12.0.0 < 12.0.3
SugarcrmSugarcrm SwEditionserve Version >= 12.0.0 < 12.0.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.498
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.