SugarCRM 12.2.0 Shell Upload

`-----------------------------------------------------------------  
SugarCRM <= 12.2.0 (Notes) Unrestricted File Upload Vulnerability  
-----------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 12.2.0 and prior versions.  
Version 12.0.2 and prior versions.  
Version 11.0.5 and prior versions.  
  
  
[-] Vulnerability Description:  
  
When handling the "save" action within the "Notes" module the   
application allows uploading  
of any kind of file into the /upload/ directory. This one is protected   
by the main SugarCRM  
.htaccess file, i.e. it doesn't allow access/execution for PHP files.   
However, this behaviour  
can be overridden if a subdirectory contains another .htaccess file. So,   
an attacker can  
leverage the vulnerability to firstly upload a new .htaccess file and   
then to upload the  
PHP code they want to execute.  
  
  
[-] Proof of Concept:  
  
https://karmainsecurity.com/pocs/CVE-2023-35808.php  
  
  
[-] Solution:  
  
Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.  
  
  
[-] Disclosure Timeline:  
  
[14/02/2023] - Vendor notified  
[12/04/2023] - Fixed versions released  
[17/06/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-35808 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2023-05  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/  
  
`