SugarCRM Server-Side Request Forgery Vulnerability in API Module

A server-side request forgery (SSRF) vulnerability has been identified in SugarCRM versions prior to 13.0.4 and 14.x prior to 14.0.1. This vulnerability allows for limited code injection in the API module, due to inadequate input validation. Exploitation of this vulnerability could enable the injection of custom PHP code, and it can be exploited by users with any privileges.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling attackers to make unauthorized requests from the server where SugarCRM is hosted. This could potentially be used to access internal services or resources that are not exposed to the public.

Remediation

Users are advised to upgrade to SugarCRM 14.0.1 or 13.0.4, depending on their current version. SugarCRM customers on SugarCloud will receive the upgrade automatically. On-site customers should refer to the SugarCRM Installation and Upgrade Guide for their specific version and product.