CVE-2023-46815: 
SugarCRM vulnerability analysis and mitigation

An Unrestricted File Upload vulnerability (CVE-2023-46815) was discovered in SugarCRM versions 12 before 12.0.4 and 13 before 13.0.2. The vulnerability was identified in the Notes module and was disclosed on October 27, 2023. The affected systems include SugarCRM Enterprise, Sell, and Serve editions (NVD, SugarCRM Advisory).

The vulnerability allows custom PHP code injection through the Notes module due to missing input validation. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability can be exploited by an attacker with regular user privileges to inject and execute custom PHP code via the Notes module. This could potentially lead to unauthorized code execution on the affected systems (SugarCRM Advisory).

For on-site customers, it is strongly recommended to upgrade to the fixed versions: SugarCRM 13.0.2 for version 13 users, or 12.0.4 for version 12 users. SugarCloud customers will receive the upgrade automatically. No alternative workarounds are available for this vulnerability (SugarCRM Advisory).