Security Advisory sugarcrm-sa-2016-008

Security Advisory



Advisory ID:

Revision: 1.0

Last updated: 2016-07-20

Status: Final (Customer disclosure)




Risk level: Critical

Vulnerability: Object/command injection




Missing proper input validation allows authenticated and unauthenticated users to inject objects resulting in arbitrary code execution where PHP serialized user input values are accepted. By carefully crafting PHP serialized content containing objects as part of a request, arbitrary code can be executed.


The fix from sugarcrm-sa-2016-001 which addressed this issue before was missing a specific use which is addressed in below releases.


Affected Products


The list of affected products reflect all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below we strongly advise to upgrade immediately to one of the supported versions.



Fixed release

SugarCRM 7.7

Professional, Corporate, Enterprise, Ultimate

SugarCRM 7.6

Professional, Corporate, Enterprise, Ultimate

SugarCRM 7.5

Professional, Corporate, Enterprise, Ultimate

SugarCRM 6.7

Professional, Corporate, Enterprise, Ultimate


SugarCRM 6.5

Community, Professional, Corporate, Enterprise, Ultimate





On-Site customers
It is strongly recommended to upgrade the affected products to the reported fixed release version. SugarCRM maintains different releases of its products each with specific upgrade paths. Consult the "Installation and Upgrade Guide" for the appropriate guidance to patch your instance. Contact support for any further inquiries regarding upgrades.


On-Demand customers
Customers hosted on SugarCRM On-Demand will receive an upgrade automatically.


Publication History



Update disclosure


Internal disclosure


A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.



This vulnerability has been responsibly disclosed by Egidio Romano (KIS-2016-07) and has been fixed by the SugarCRM Security Team.