SugarCRM before 8.0.4 Improper Input Validation Vulnerability
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
The information has been provided by Egidio Romano
The original article can be found at:https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-030/
Three Remote Code Execution issues have been identified in the MergeRecords module. Using a specially crafted request, custom PHP code can be injected through the MergeRecords module because of missing input validation. Developer user privileges are required to be able to exploit these vulnerabilities.
SugarCRM before 8.0.4
SugarCRM 9.x before 9.0.2