Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41597: 7.10.x Releases

SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

CVE
Open in Source
#sql#csrf#apache#js#git

  • PR: 7198 - Add Robo API commands

  • PR: 5464 - Filter email templates on Events

  • PR: 7829 - Issue: 7828 - Robo tasks for common actions that are performed in Repair Administration module

  • PR: 7819 - Issue: 7817 - Added option to filter WorkFlows by module name

  • PR: 7809 - Robo: Add a --filter option to tests:unit for filtering tests

  • PR: 7808 - Issue: 7621 - Add support for config_override.test.php

  • PR: 7844 - SuiteP: Add html data tags to allow module and field identification

  • PR: 7837 - Issue: 7836 - Robo task to compile css in a custom theme

  • PR: 7834 - Workflow: Properly delete records which are marked as deleted

  • PR: 8154 - Issue: 8153 - SQL query in the ACLAction code

  • PR: 8151 - Resolve issue with email templates

  • PR: 7659 - Icons not rendering properly in Alerts

  • PR: 7655 - Issue: 7648 - Case Module: Description field not showing after Save and continue

  • PR: 7650 - ‘customMetadate’ typo in DashletGeneric.php

  • PR: 7643 - Issue: 7622 - Make the code:coverage Robo command work outside of CI

  • PR: 7641 - Issue: 7396 - Update button clears DateTime parameter in Reports Module

  • PR: 7638 - Issue: 7315 - Adding parameter date field in Reports module causes error in Browser console

  • PR: 7627 - Update sugar_3.js to fix a MassUpdate undefined error

  • PR: 7587 - Issue: 7586 - Unnecessary include in UserService

  • PR: 7529 - Codacy

  • PR: 7525 - API Create Relationship via Link

  • PR: 7515 - Scheduled Reports: Fix report name relation and popup search

  • PR: 7428 - Issue: 7427 - Show logs lines that was made by anonymous

  • PR: 7195 - Inspections compatibility

  • PR: 7193 - Remove Unused Import

  • PR: 7141 - Type casting

  • PR: 6765 - Issue: 321 - Hitting enter in the password input saves the user but not the password

  • PR: 6503 - Add a SAML2 metadata endpoint

  • PR: 5537 - Issue: 5520 - Do not clear existing attachments when loading a template

  • PR: 4471 - Update DeleteRelationship.php

  • PR: 3820 - search_by_module REST API

  • PR: 7826 - Issue: 2825 - Now we translate the title tag for recently viewed links

  • PR: 7822 - Issue: 7821 - User name is not aligned in 1200px to 1600px screens

  • PR: 7818 - InboundEmailTest: Make tests independent to make them work with the state checker

  • PR: 7816 - Removing an item from subpanel should only require the item edit access right

  • PR: 7815 - Save email addresses before saving company/person

  • PR: 7814 - SQL query bug for quote purchase subpanel

  • PR: 7813 - Issue: 7810 - Pencil present in Top Menu for users with non editing permission

  • PR: 7802 - Issue: 6830 - Code coverage as a separate stage in CI

  • PR: 7797 - Issue: 7779 - PHP Fatal error in modules/Connectors

  • PR: 7783 - Issue: 7780 - Bad css format in Date and Date Range Inputs in search forms

  • PR: 7782 - Issue: 7781 - Now we can compile SuiteP only one color_scheme

  • PR: 7777 - Issue: 7784 - Grouping by with xxx_usdollar currency fields

  • PR: 7774 - EmailMarketing: Add security groups support

  • PR: 7773 - Make robo test commands fail if tests fail

  • PR: 7771 - Issue: 7620 - Add dotenv support for the test environment

  • PR: 7762 - Issue: 7761 - htaccess issue

  • PR: 7760 - SugarEmail: Fix ‘to’ field not being filled when the last record doesn’t have an email

  • PR: 7746 - Issue: 7675 - Add a function to compare properly indices definitions

  • PR: 7741 - Clean up a bunch of unit tests

  • PR: 7711 - Issue: 2928 - Clear Zend OPcache when writing files

  • PR: 7690 - Composerify Zend Lucene

  • PR: 7906 - Update Gitattributes + codeception.dist.yml

  • PR: 7904 - Issue: 7903 - Verify if $bean is_subclass_of SugarBean so we can check access

  • PR: 7900 - Issue: 7869 - Protect against illegal string offset warnings in aow_utils

  • PR: 7899 - Issue: 7868 - ‘Undefined index: leads_id’ notices in AOR_Report.php

  • PR: 7898 - Issue: 7552 - AOR Reports - Mysqli_query failed when execute Report as normal User

  • PR: 7892 - Issue: 5652 - Ending spaces in language strings

  • PR: 7877 - Issue: 7875 - Wrong render in DateRangeInput using ‘Between’ Option

  • PR: 7871 - Issue: 7870 - Improvements in css for date_input and labels in EditView

  • PR: 7865 - Refixed #7393 without breaking headers for non-pulldown fields

  • PR: 7866 - Issue: 6535 - Replace contact_xxx in templates also for leads/prospects/users

  • PR: 7864 - Issue: 7642 - Replace Title with Job Title

  • PR: 7858 - Issue: 6442 - Fix Issue when importing non UTF-8 CSV file

  • PR: 7857 - Issue: 7848 - Temporarily revert PHP 5.5 from the Travis build

  • PR: 7855 - Issue: 7613 - Status/State usage causing translation errors

  • PR: 7853 - Issue: 7848 - Move the PHP 5.6 job to xenial

  • PR: 7847 - Issue: 6012 - Emails being sent from ‘Root User’

  • PR: 7841 - Update issue ‘Undefined index: docType’ PHP notice PR templates to comment on how to include code

  • PR: 7839 - Issue: 7838 - ‘Undefined index: docType’ PHP notice

  • PR: 7833 - SugarFeed: Various fixes for 7.10.19/20 regressions

  • PR: 7965 - Issue: 7964 - Report Total Field formatting is inconsistent

  • PR: 7963 - Issue: 7962 - Sending emails with apostrophe in email address

  • PR: 7959 - Issue: 3860 - Fix typo in InboundEmail.php

  • PR: 7957 - Silent upgrade

  • PR: 7956 - Issue: 7955 - Admin blank screen post upgrade to 7.11.8

  • PR: 7952 - Update the .gitattributes export-ignore list

  • PR: 7951 - Issue: 6691 - Typo in key - LBL_ORIGINAL_MESSAGE_SEPERATOR

  • PR: 7950 - Issue: 7926 - Do not divide by adjustment if it equals 0

  • PR: 7944 - Issue: 3129 - Use correct Business Hours field name for opening hours check

  • PR: 7943 - Issue: 7942 - Add bool to eligible fields for merging

  • PR: 7930 - Typos in audit template metadata

  • PR: 7929 - Issue: 7928 - Upgrade wizard recommends composer update instead of composer install

  • PR: 7925 - Enable Delete button in Actions menu

  • PR: 7924 - Issue: 7923 - Verify the variable is an array

  • PR: 7922 - Issue: 7880 - InboundEmail mime parser

  • PR: 7918 - Issue: 7917 - Issue with french translation

  • PR: 7913 - Issue: 7912 - Avoid PHP Notices in getVardefs() method

  • PR: 7910 - Issue: 7885 - Add a SECURITY.md to the repository

  • PR: 7909 - htaccess

  • PR: 8039 - Misc improvements to the acceptance tests

  • PR: 8032 - Issue: 3857 - Retain date properly when saving a stored query

  • PR: 8031 - Issue: 7758 - Disable Action menu has no effect on menus in subpanel

  • PR: 8030 - Issue: 7738 - Email Template selection in email module is not working in Edge/IE11

  • PR: 8029 - Updated mkdir calls to throw RuntimeExceptions

  • PR: 8028 - Issue: 7874 - Unable to use custom _head.tpl file

  • PR: 8027 - Issue: 7882 - No ‘Server response time’ in SuiteP

  • PR: 8026 - Issue: 8025 - OAuth Keys Fixed a grammatical error in include/templates/Template.php OAuth2 Clients and Tokens icons are missing

  • PR: 8020 - Fixed a grammatical error in include/templates/Template.php

  • PR: 8018 - Move RebuildConfig.php from using XTemplate to using Smarty

  • PR: 8015 - Make the pagination buttons on DetailView pages links.

  • PR: 8010 - Skip cache building if custom class exists for dashlets

  • PR: 8009 - Update contributing.md

  • PR: 7998 - Issue: 7997 - Datetime field caching issue

  • PR: 7995 - Typos and made it grammatically better

  • PR: 7994 - Update config.yml to include 7.10.x branch

  • PR: 7990 - AOW_WorkFlow: Delete all related beans when deleting a workflow

  • PR: 7989 - BeanFactory: Don’t return deleted beans from the cache

  • PR: 7986 - Updated LoggerManager to use @method + code cleanup

  • PR: 7981 - Issue: 5709 - Paths to milestone image

  • PR: 7978 - Issue: 7971 - Textarea in EditView overlaps other fields

  • PR: 7976 - Replace deprecated array index accessors

  • PR: 7970 - Issue: 7969 - Cannot call logger

  • PR: 7966 - Email css error

  • PR: 8086 - Link contributors badge to contributors insights

  • PR: 8076 - Issue: 8057 - Deprecated usage of join

  • PR: 8075 - Issue: 8057 - Misc PHP 7.4 deprecations

  • PR: 8073 - Issue: 8057 - Remove all uses of get_magic_quotes_gpc

  • PR: 8068 - Issue: 7764 - Undefined index: server_unique_key

  • PR: 8067 - Added the deprecated lowercase v8 API to codecov ignore list

  • PR: 8064 - Issue: 8063 - Change isset() to !empty()

  • PR: 8061 - Issue: 6314 - Unused language strings in ver. 7.10.8

  • PR: 8060 - Issue: 7987 - Apache log

  • PR: 8059 - Added a check for SUGARCRM restrictions in htaccess

  • PR: 8058 - Issue: 8057 - Deprecated usages of implode

  • PR: 8056 - Issue: 7128 - Remove scheme to avoid mixed content error

  • PR: 8054 - Improve footer styling for new stats item

  • PR: 8051 - Issue: 7397 - Implement Refresh Token Grant

  • PR: 8050 - Issue: 8001 - Non-distinct person entries for each meeting/call invited to

  • PR: 8049 - Header cleanup

  • PR: 8041 - Remove BusinessCard-related code

  • PR: 8000 - More PHP 7.4 array accessor deprecations

  • PR: 6750 - Issue: 4754 - Remove PHP4 style constructors

  • PR: 8085 - Deprecated string concatenation

  • PR: 8080 - Replaced alias functions

Special thanks to the following members for their contributions and participation in this release!

To report any security issues please follow our Security Process and send them directly to us via email [email protected]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE