SugarCRM Released the first patch in since 20 October 2013 for 6.5 on 23 June 2014.

The release notes detailed a security patch which all users should install, but did not detail anything further.

Here at provident we dug into the patch, and here is a more detailed list of the changes:

1. Module scanner now blocks two additional functions:  simplexml_load_file, & simplexml_load_string
2. JS Security Fix in Emails –  changing AJAX call from GET to POST
3. XML Handling – Additional error handling and libxml_disable_entity_loader is now set to true
4. Users module – Additional checking on un-authorised access to other users profile, plus Bugfix for password field

We would recommend all users update to this version ASAP, particularly given the security fixes on the Users module/password handling.

If you require assistance patching your SugarCRM system, please contact us: sales@providentcrm.com

Official SugarCRM Release notes for 6.5.17 are available here:

http://support.sugarcrm.com/02_Documentation/01_Sugar_Editions/01_Sugar_Ultimate/Sugar_Ultimate_6.5/Sugar_Ultimate_Release_Notes_6.5.17/

Provident CRM are a Platinum 3 Star Partner, with offices in UK, Ireland and DACH Regions.