SugarCRM <= 12.2.0 (updateGeocodeStatus) Bean Manipulation Vulnerability  
[-] Software Link:  
[-] Affected Versions:  
Version 12.2.0 and prior versions.  
Version 12.0.2 and prior versions.  
Version 11.0.5 and prior versions.  
[-] Vulnerability Description:  
The vulnerability is exploitable through the "/maps/updateGeocodeStatus"   
endpoint. This might allow a malicious user to modify arbitrary Sugar   
Beans, and that  
could lead to a variety of security impacts, such as Privilege   
Escalation attacks by  
sending an HTTP request like the following:  
POST /rest/v11_17/maps/updateGeocodeStatus HTTP/1.1  
Host: sugarcrm_website  
Content-Type: application/json  
OAuth-Token: d4cd573b-3b24-44ae-8eab-6d3b525f7974  
Content-Length: 96  
Connection: close  
[-] Solution:  
Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.  
[-] Disclosure Timeline:  
[14/02/2023] - Vendor notified  
[12/04/2023] - Fixed versions released  
[17/06/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
[-] CVE Reference:  
The Common Vulnerabilities and Exposures project (  
has assigned the name CVE-2023-35809 to this vulnerability.  
[-] Credits:  
Vulnerability discovered by Egidio Romano.  
[-] Original Advisory:  
[-] Other References: