SugarCRM before 8.0.4 Improper Input Validation Vulnerability


SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.


The information has been provided by Egidio Romano 

The original article can be found at:



Three Remote Code Execution issues have been identified in the MergeRecords module. Using a specially crafted request, custom PHP code can be injected through the MergeRecords module because of missing input validation. Developer user privileges are required to be able to exploit these vulnerabilities.

Vulnerable Systems:

SugarCRM before 8.0.4 

SugarCRM 9.x before 9.0.2

CVE Information:


Disclosure Timeline:
Published Date:10/07/2019