SugarCRM CE <= 6.3.1 contains scripts that use “unserialize()” with user controlled input which allows remote attackers to execute arbitrary PHP code.
Affected Product(s) :
SugarCRM CE 6.3.1
Vulnerability Details :
CVE ID :
The vulnerability is caused due to all these scripts using “unserialize()” with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the “__destruct()” method of the “SugarTheme” class, passing an ad-hoc serialized
Vendor fix the issue on his own within 6.4.0 RC1 release