SugarCRM <= 12.2.0 (Notes) Unrestricted File Upload Vulnerability  
[-] Software Link:  
[-] Affected Versions:  
Version 12.2.0 and prior versions.  
Version 12.0.2 and prior versions.  
Version 11.0.5 and prior versions.  
[-] Vulnerability Description:  
When handling the "save" action within the "Notes" module the   
application allows uploading  
of any kind of file into the /upload/ directory. This one is protected   
by the main SugarCRM  
.htaccess file, i.e. it doesn't allow access/execution for PHP files.   
However, this behaviour  
can be overridden if a subdirectory contains another .htaccess file. So,   
an attacker can  
leverage the vulnerability to firstly upload a new .htaccess file and   
then to upload the  
PHP code they want to execute.  
[-] Proof of Concept:  
[-] Solution:  
Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.  
[-] Disclosure Timeline:  
[14/02/2023] - Vendor notified  
[12/04/2023] - Fixed versions released  
[17/06/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
[-] CVE Reference:  
The Common Vulnerabilities and Exposures project (  
has assigned the name CVE-2023-35808 to this vulnerability.  
[-] Credits:  
Vulnerability discovered by Egidio Romano.  
[-] Original Advisory:  
[-] Other References: