SugarCRM Released the first patch in since 20 October 2013 for 6.5 on 23 June 2014.
The release notes detailed a security patch which all users should install, but did not detail anything further.
Here at provident we dug into the patch, and here is a more detailed list of the changes:
- Module scanner now blocks two additional functions: simplexml_load_file, & simplexml_load_string
- JS Security Fix in Emails – changing AJAX call from GET to POST
- XML Handling – Additional error handling and libxml_disable_entity_loader is now set to true
- Users module – Additional checking on un-authorised access to other users profile, plus Bugfix for password field
We would recommend all users update to this version ASAP, particularly given the security fixes on the Users module/password handling.
If you require assistance patching your SugarCRM system, please contact us: firstname.lastname@example.org
Official SugarCRM Release notes for 6.5.17 are available here:
Provident CRM are a Platinum 3 Star Partner, with offices in UK, Ireland and DACH Regions.