lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Oct 2023 17:24:15 +0200 From: Egidio Romano <research@...mainsecurity.com> To: Full Disclosure <fulldisclosure@...lists.org>, submissions@...ketstormsecurity.com Subject: [FD] [KIS-2023-10] SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability ---------------------------------------------------------------------------- SugarCRM <= 13.0.1 (GetControl) Server-Side Template Injection Vulnerability ---------------------------------------------------------------------------- [-] Software Link: https://www.sugarcrm.com [-] Affected Versions: Version 13.0.1 and prior versions. Version 12.0.3 and prior versions. [-] Vulnerability Description: There is a sort of Server-Side Template Injection (SSTI) vulnerability affecting the "GetControl" action from the "Import" module. User input passed through the "field_name" parameter is not properly sanitized before being used to construct the path of the template to include. As such, this can be abused to include and execute arbitrary PHP code through Path Traversal attacks. [-] Proof of Concept: https://karmainsecurity.com/pocs/KIS-2023-10.php [-] Solution: Upgrade to version 13.0.2, 12.0.4, or later. [-] Disclosure Timeline: [23/04/2023] - Vendor notified [21/09/2023] - Fixed versions released [06/10/2023] - CVE identifier requested [26/10/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-10 [-] Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-010/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists