SugarCRM 6.5.17 Patch List

SugarCRM Released the first patch in since 20 October 2013 for 6.5 on 23 June 2014.


The release notes detailed a security patch which all users should install, but did not detail anything further.

Here at provident we dug into the patch, and here is a more detailed list of the changes:

  1. Module scanner now blocks two additional functions:  simplexml_load_file, & simplexml_load_string
  2. JS Security Fix in Emails –  changing AJAX call from GET to POST
  3. XML Handling – Additional error handling and libxml_disable_entity_loader is now set to true
  4. Users module – Additional checking on un-authorised access to other users profile, plus Bugfix for password field

We would recommend all users update to this version ASAP, particularly given the security fixes on the Users module/password handling.

If you require assistance patching your SugarCRM system, please contact us:

Official SugarCRM Release notes for 6.5.17 are available here:

Provident CRM are a Platinum 3 Star Partner, with offices in UK, Ireland and DACH Regions.