Multiple SugarCRM Products Remote Code Execution Vulnerability
Summary
| CVE | CVE-2023-22952 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-01-11 09:15:00 UTC |
| Updated | 2023-03-10 17:15:00 UTC |
| Description | In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. |
Risk And Classification
EPSS: 0.928220000 probability, percentile 0.997670000 (date 2026-05-12)
CISA KEV: Listed on 2023-02-02; due 2023-02-23; ransomware use Unknown
Problem Types: CWE-20
CISA Known Exploited Vulnerability
| Vendor | SugarCRM |
|---|---|
| Product | Multiple Products |
| Name | Multiple SugarCRM Products Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/; https://nvd.nist.gov/vuln/detail/CVE-2023-22952 |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| sugarcrm-sa-2023-001 - SugarCRM Support Site | CONFIRM | support.sugarcrm.com | |
| SugarCRM 12.x Remote Code Execution / Shell Upload ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 730704 SugarCRM Remote Code Execution (RCE) Vulnerability