CVE-2023-22952
Published: 11 January 2023
Summary
CVE-2023-22952 is a high-severity Improper Input Validation (CWE-20) vulnerability in Sugarcrm Sugarcrm. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-22952 affects SugarCRM versions prior to 12.0 Hotfix 91155. The flaw stems from insufficient input validation in the EmailTemplates component, allowing a crafted request to inject arbitrary PHP code (CWE-20 and CWE-94). It carries a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with low attack complexity and low required privileges.
An authenticated attacker can submit a malicious request that results in remote code execution, granting full control over the affected application including the ability to read, modify, or delete data and potentially pivot within the environment. Public proof-of-concept material demonstrates remote shell upload via this vector.
SugarCRM's security advisory directs customers to apply Hotfix 91155, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score remains elevated at 0.93, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-27053
Vulnerability details
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
- CWE(s)
- KEV Date Added
- 02 February 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to EmailTemplates to block crafted requests that inject PHP code.
Requires mechanisms to detect and block execution of the malicious PHP code injected via the EmailTemplates flaw.
Mandates timely application of the vendor hotfix 91155 that eliminates the input-validation flaw in EmailTemplates.