SugarCRM 12.2.0 SQL Injection

`----------------------------------------------------  
SugarCRM <= 12.2.0 Two SQL Injection Vulnerabilities  
----------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 12.2.0 and prior versions.  
Version 12.0.2 and prior versions.  
Version 11.0.5 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) User input passed through the “metrics” parameter to the   
“/Forecasts/metrics”  
REST API endpoint is not properly sanitized before being used to   
construct a SQL  
query. This can be exploited by malicious users to e.g. read sensitive   
data from  
the database through in-band SQL Injection attacks.  
  
2) User input passed through the “placeholder_fields” parameter to the   
e.g.  
“/Notes/{recordID}/link/history” REST API endpoint is not properly   
sanitized before  
being used to construct a SQL query. This can be exploited by malicious   
users to  
e.g. read sensitive data from the database through in-band SQL Injection   
attacks.  
  
  
[-] Proof of Concept:  
  
https://karmainsecurity.com/pocs/CVE-2023-35811_1.php  
https://karmainsecurity.com/pocs/CVE-2023-35811_2.php  
  
  
[-] Solution:  
  
Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.  
  
  
[-] Disclosure Timeline:  
  
[14/02/2023] - Vendor notified  
[12/04/2023] - Fixed versions released  
[17/06/2023] - CVE number assigned  
[23/08/2023] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-35811 to these vulnerabilities.  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
https://karmainsecurity.com/KIS-2023-08  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/  
  
`