/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updatePlease see January 13, 2023: Security Vulnerability Update for the most recent updates, including information about the final report from our third-party forensics firm. SugarCRM recently became aware of a publicly disclosed vulnerability affectingen-USTelligent Community 12https://sugarclub.sugarai.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updateMon, 16 Jan 2023 13:23:50 GMT5c521d64-519d-47a6-9065-134618b211bf:511e446f-fa64-47e6-b825-90122fdc6307Logamurugan Pilavadi1<p><span>Why is there a difference between patch to be applied on .htaccess and&nbsp;</span><span>install_utils.php? Patch required for&nbsp;install_utils.php missing / and&nbsp;</span><span>log4php in the pattern&nbsp;</span></p><img src="https://sugarclub.sugarai.com/aggbug?PostID=3112&AppID=12&AppType=Weblog&ContentType=0" width="1" height="1">https://sugarclub.sugarai.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updateFri, 13 Jan 2023 20:32:27 GMT5c521d64-519d-47a6-9065-134618b211bf:511e446f-fa64-47e6-b825-90122fdc6307Club Concierge0<p><span>This post has been updated to reflect the current status of SugarCRM&rsquo;s actions and knowledge. Updates include updated instructions based on the&nbsp;</span><a href="/explore/product-updates/b/enterprise-professional-updates/posts/security-release-notification-12-0-2-and-11-0-5">release of the 12.0.2 and 11.0.5 patches</a><span>, information regarding the official CVE report, and additional instructions on how to locate possible evidence to help determine if you have been affected.</span></p><img src="https://sugarclub.sugarai.com/aggbug?PostID=3112&AppID=12&AppType=Weblog&ContentType=0" width="1" height="1">https://sugarclub.sugarai.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updateFri, 13 Jan 2023 14:52:38 GMT5c521d64-519d-47a6-9065-134618b211bf:511e446f-fa64-47e6-b825-90122fdc6307Junaid Usman1<p>Thanks for the quick patch.</p> <p>It is very unfortunate that an official statement from the SugarCRM side came on the&nbsp;4th of Jan while the vulnerability was announced on the 28th of December. Considering this is a 0-day Auth bypass, it would&nbsp;have been better if the announcement was made as soon as it is public; so that customers can take some precautionary measures while waiting for a quick patch.</p><img src="https://sugarclub.sugarai.com/aggbug?PostID=3112&AppID=12&AppType=Weblog&ContentType=0" width="1" height="1">https://sugarclub.sugarai.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updateFri, 13 Jan 2023 01:52:36 GMT5c521d64-519d-47a6-9065-134618b211bf:511e446f-fa64-47e6-b825-90122fdc6307Francesca Shiekh0<p>For those still on Professional, the upgrade to 11.0.5 brings back Bug<span>&nbsp;</span><span>87739</span><span>&nbsp;and shows up as a database mismatch for fields of type INT.<br /><br /></span></p><img src="https://sugarclub.sugarai.com/aggbug?PostID=3112&AppID=12&AppType=Weblog&ContentType=0" width="1" height="1">https://sugarclub.sugarai.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updateTue, 10 Jan 2023 00:40:24 GMT5c521d64-519d-47a6-9065-134618b211bf:511e446f-fa64-47e6-b825-90122fdc6307Club Concierge1<p>This post has been updated to reflect findings related to instances of Sugar where SugarIdentity is enabled. We have determined that the vulnerability could not impact instances that had SugarIdentity enabled. For help in determining if SugarIdentity was enabled on your instance, instructions can be found <a href="https://support.sugarcrm.com/Documentation/SugarCloud_Services/SugarIdentity/SugarIdentity_Guide/#Determining_if_Your_Instance_Uses_SugarIdentity" rel="noopener noreferrer" target="_blank">here</a>.</p><img src="https://sugarclub.sugarai.com/aggbug?PostID=3112&AppID=12&AppType=Weblog&ContentType=0" width="1" height="1">https://sugarclub.sugarai.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-updateFri, 06 Jan 2023 18:45:45 GMT5c521d64-519d-47a6-9065-134618b211bf:511e446f-fa64-47e6-b825-90122fdc6307Club Concierge0<p>Additional questions added:</p> <ul> <li><a href="/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update#mcetoc_1gm44cmhs3">Once patched, what should customers hosted outside of SugarCloud or Sugar managed hosting be on the lookout for?</a></li> <li><a href="/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update#mcetoc_1gm45iuhf9">What is the vulnerability that was identified?</a></li> </ul> <p>Please click the &quot;<strong>Turn Comment notifications on</strong>&quot; button on this post to be notified of any updates</p><img src="https://sugarclub.sugarai.com/aggbug?PostID=3112&AppID=12&AppType=Weblog&ContentType=0" width="1" height="1">