Overview :
SugarCRM CE <= 6.3.1 contains scripts that use “unserialize()” with user controlled input which allows remote attackers to execute arbitrary PHP code.
Affected Product(s) :
  • SugarCRM CE 6.3.1
Vulnerability Details :
CVE ID : CVE-2012-0694
The vulnerability is caused due to all these scripts using “unserialize()” with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the “__destruct()” method of the “SugarTheme” class, passing an ad-hoc serialized

Solution :
Vendor fix the issue on his own within 6.4.0 RC1 release