Description
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.
Remediation
References
Related Vulnerabilities
Apache Tomcat Cryptographic Issues Vulnerability (CVE-2011-5064)
WordPress Plugin Coming Soon & Maintenance Mode Page Cross-Site Request Forgery (1.57)
Liferay Portal Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-25143)
Ruby Other Vulnerability (CVE-2012-5380)
WordPress Plugin Anti Spam Protection without CAPTCHA powered by Keypic Security Bypass (2.1.2)