In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.Referenceshttps://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html
