CVE-2023-35811: 
SugarCRM vulnerability analysis and mitigation

A critical SQL Injection vulnerability (CVE-2023-35811) was discovered in SugarCRM Enterprise before versions 11.0.6 and 12.x before 12.0.3. The vulnerability was discovered on June 17, 2023, affecting multiple editions of SugarCRM including Enterprise and other variants. Two distinct SQL Injection vectors were identified in the REST API, where crafted requests could be used to inject custom SQL code due to missing input validation (NVD, MITRE).

The vulnerability exists in two specific REST API endpoints: 1) The 'metrics' parameter in the '/Forecasts/metrics' endpoint and 2) The 'placeholder_fields' parameter in the '/Notes/{recordID}/link/history' endpoint. Both endpoints fail to properly sanitize user input before constructing SQL queries. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact potential (NVD, Full Disclosure).

The vulnerability allows malicious users with regular user privileges to execute arbitrary SQL commands through the REST API. This can lead to unauthorized access to sensitive data stored in the database through in-band SQL Injection attacks, potentially compromising the confidentiality, integrity, and availability of the system (Full Disclosure).

Organizations are advised to upgrade to SugarCRM version 12.3.0, 12.0.3, 11.0.6, or later versions to address this vulnerability. The vendor has released patches that implement proper input validation to prevent SQL injection attacks (Full Disclosure).