[KIS-2023-10] SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability

2023-10-26 23:24:31 Author: seclists.org(查看原文) 阅读量:15 收藏

----------------------------------------------------------------------------

SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection 

Vulnerability

----------------------------------------------------------------------------

[-] Software Link:

https://www.sugarcrm.com

[-] Affected Versions:

Version 13.0.1 and prior versions.
Version 12.0.3 and prior versions.

[-] Vulnerability Description:

There is a sort of Server-Side Template Injection (SSTI) vulnerability 

affecting

the "GetControl" action from the "Import" module. User input passed 

through the

"field_name" parameter is not properly sanitized before being used to 

construct

the path of the template to include. As such, this can be abused to 

include and

execute arbitrary PHP code through Path Traversal attacks.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/KIS-2023-10.php

[-] Solution:

Upgrade to version 13.0.2, 12.0.4, or later.

[-] Disclosure Timeline:

[23/04/2023] - Vendor notified
[21/09/2023] - Fixed versions released
[06/10/2023] - CVE identifier requested
[26/10/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-10

[-] Other References:

https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Full Disclosure mailing list archives

Current thread: