Released 14/11/2023
CVE: CVE-2023-6130 - LFI to RCE Vulnerability
CVE: CVE-2023-6128 - Reflected XSS Vulnerability
CVE: CVE-2023-6131 - Arbitrary File Upload to RCE
CVE: CVE-2023-6127 - Import XSS Vulnerability
CVE: CVE-2023-6126 - Dashlet HTML Injection Vulnerability
CVE: CVE-2023-6125 - PDF XSS Vulnerability
CVE: CVE-2023-6124 - SSRF Vulnerability
Special thanks to everyone who reported the security issues addressed in this release!
navsec, Christoph Timm, nam-no, Shahzaib Ali Khan, Alex Bernier
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 03/10/2023
Special thanks to everyone who reported security issues addressed in this release!
Josh Lees & Robert Stokes(Illume Security), Zilio Nicolas from CrowdStrike
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 11/07/2023
PR: 10051 - Add better description of what is being removed during module installation for ACLs
PR: 10050 - Add missing language definitions for the module loader
PR: #9816 - Item element getting called incorrectly
PR: 10024 - Fix #9601 - Fix bug where report conditions parenthesis pairs would not save correctly
PR: 10057 - Fix #10056 - User bean value is_admin is unset on save()
PR: 9983 - Fix #9516 - getRelatedId returns null instead of a string
PR: 9657 - Fix 9654 - different date formats being compared for change log
PR: 10036 - Fix #10033 - PHP Fatal error Uncaught TypeError PHP8
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 24/04/2023
PR: 9542 - Fix #9542 - PHP8 null values
PR: 9812 - Fix #9812 - Decimal number calculations
PR: 9817 - Fix #9817 - A typo in Campaign Trackers
PR: 9828 - Fix #9828 - $mod_strings was not initiated
PR: 9849 - Fix #9849 - allowed_preview is defined twice
PR: 9642 - Fix #9602 - ProspectLists save function has a duplication issue
PR: 9559 - Fix #7759, #8273 - Double Compose button in subpanels
PR: 10010 - Fix #10009 - Cannot configure Module Menu Filters on PHP8+
PR: 9325 - Fix #9153 - Adding dynamicenum case option for export
PR: 9329 - Fix #8897 - Adding missing relationship for SurveyResponses module
PR: 9471 - Fix #9470 - Set fdow in Calendar popup date selector for range search and MassUpdate
PR: 9520 - Fix #9326 - Adding decimal and float case option for export
PR: 9528 - Fix #9476 - Mass assign security groups only assigns selected on current page
PR: 9622 - Fix #9621 - Workflows Calculate Field Actions don’t translate dynamicenum fields
PR: 9784 - Fix #9783 - Compose view quick search for email templates
PR: 9787 - Fix #9780 - New User Group Popup. Popup does not show after creating a user
PR: 9876 - Fix #9875 - SugarFeed shows 0 seconds ago and negative interval for certain datetime formats
PR: 9903 - Fix #9902 - Workflow - Some Date calculations fail with certain formats
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 02/03/2023
CVE: Pending - RCE Vulnerability
CVE: Pending - Stored XSS Vulnerability
CVE: Pending - Stored XSS Vulnerability
CVE: Pending - SSRF Vulnerability
PR: 9666 - Fix #9665 - Set unique id for "Reset module" button in studio
PR: 9742 - Fix Closing count bracket before relational operator PHP 8.0 count throwing TypeError
PR: 9751 - Fix #9750 - Receive related parameters of type dynamicenum in workflow formulas
PR: 9796 - Fix #4646 - Hard coded messages in Surveys module
PR: 9872 - Fix #9871 - Javascript message error when bulk updating all user records
PR: 9874 - Fix #9873 - Plesk php.ini disable_functions = opcache_get_status
PR: 9882 - Fix OPCache install module copy action
PR: 9884 - Fix #9883 - Security Groups do not work with modules whose name exceeds 36 characters.
PR: 9910 - Fix #9909 - Default empty item when creating a new Dropdown field
PR: 9914 - Close #9914 - Update dashboard.scss for dashlet options overflow
PR: 9955 - Fix #9926 - Add missing check on product image upload
PR: 9901 - Fix #9900 - Conditions doesn’t recognize some of the characters set
Special thanks to the following members for their contributions and participation in this release!
Special thanks to everyone who reported the security issues addressed in this release!
Nico Weidmann(SAP Security Research), Rustam Komildzhonov and Ilja Bulatov
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 25/01/2023
CVE: 2022-45185 - Improper Access Control
CVE: Pending - SQL Injection
CVE: Pending - Improper Access Control
CVE: Pending - Improper Access Control
CVE: Pending - Improper Access Control
CVE: Pending - Bypass Vulnerability
CVE: Pending - Vulnerability: Cross Site Scripting
PR: 9718 - Fix #9717 - Security Suite Record Group selector doesn’t appear when duplicating records
PR: 9648 - Fix #9646 - Display TinyMCE in step 4 of the campaigns form wizard
PR: 9643 - Fix #9574 - Update method to static for module renaming
PR: 9638 - Fix Elasticsearch indexing and searching using accented characters
PR: 9474 - Fix #9473 - Missing item "Survey" in campainglog_activity_type_dom
PR: 9844 - ElasticSearch Indexing batch error handling
PR: 9770 - Fix #9568 - Ignore int len when comparing vardefs in newer MySQL versions
PR: 9786 - Clear caches used by Inline Edition
PR: 9671 - Fix #9670 - Disabling the user profile option about notification of assignments does not work
PR: 9813 - Fix #9344 - Error in Browsers console after adding tabs to Quickcreate: function selectTabOnError
Special thanks to the following members for their contributions and participation in this release!
Special thanks to everyone who reporting the security issues addressed in this release!
RIOUX Guilhem, Mark Hupperichs, Vautia, Benoit Luquet, crackcat
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 17/11/2022
PR: 9803 - Fix #9803 - Workflow test returns boolean
PR: 9804 - Update jquery-ui to 1.13.2
PR: 9566 - Turn privates to protecteds to fix Emailtemplate overrides
PR: 9567 - Turn private to protected to fix SendMail AOW_Action overrides
PR: 9557 - fix escapeField where $cell string is empty
PR: 9801 - Fix #9800 Fix issue with send as system being hidden
PR: 9614 - Fix #7030 - Errors in Workflow operators Contains, Starts with and Ends with
PR: 9651 - Fix #9650 - Deprecated constructor method is being called in Calendar
PR: 9659 - Fix #9658 - SuiteCRM add duplicate dashlet when filter is used
PR: 9669 - Fix #9668 - It is not possible to use a custom template for password change
PR: 9673 - Fix #9672 - Bug in CSS class causes bad button display
PR: 9675 - Fix #9674 - Error when importing (creating and updating) a record with ID already deleted in the database
PR: 9689 - Fix #9688: Use the same browser title for the regular views
PR: 9699 - Fix #9698 - Do not delete the subject when editing a tracking url from the campaign assistant
PR: 9705 - Fix #9704 - Missing relationship definition in SurveysQuestionResponses
PR: 9707 - Fix #9706 - ModuleBuilder doesn’t save language files in the correct
PR: 9712 - Fix #9711 - Update date_modified field when deleting a Target List
PR: 9722 - Fix #9721 - Adding Years option to aow_date_type_list in Workflow conditions
PR: 9729 - Fix #9728 - cron.php fails with "must be compatible" error
PR: 9731 - Fix #9730 - cron.php fails with fatal TypeError using PHP 8
PR: 9754 - Fix #9753 - Do not save white spaces in SMTP data
PR: 9785 - Fix #9781 Fetch existing Call/Meeting Reminder data in quickeditview
PR: 9791 - Fix #9588 - search were ignored if searchQuery was not set in user’s preference
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 16/08/2022
CVE: Pending - Improper Authorization
CVE: Pending - Improper Authorization
PR: 9736 - Fix #9736 - ElasticSearch still running repair if not enabled
PR: 9735 - Fix #9735 - Add ElasticSearch Repair option to Admin→Repair Menu
PR: 9512 - Fix #9512 - Case Updates Thread now displays updates from 'Unknown' sources
PR: 9686 - Fix #9686 - Draft Email Opens in Draft View From History Subpanel
PR: 9314 - Fix #9314 - Respect the subpanel flat flag
PR: 9608 - Fix #9421 - Elastic search logic hooks fail to index properly
PR: 9539 - Fix #9539 - Fix Elasticsearch indexing unnecessarily during QR+R
PR: 9599 - Fix #9599 - Fix missing pagination on Elasticsearch Results
PR: 9628 - Fix #9627 - Studio changes not picked up by CRM when opcache.validate_timestamps=0
PR: 9662 - Fix #9660 - Copy only select files to custom/working directory
PR: 9664 - Fix #9663 - Smaller screens automatically collapse non-subpanel panels
PR: 9591 - Fix #9547 - Workflow actions not saving correctly for certain field types
PR: 9163 - Fix #9163 - listviewdefs.php for Outbound Email Accounts module to use correct by default
PR: 9561 - Fix #9561 - with search where fail state was not handled when missing listviewdefs.php file
PR: 9609 - Fix #9609 - Change the logger level in setStream and getStream functions to prevent excessive log errors
PR: 9570 - Fix #9569 - Fix issue with missing dropdown image
PR: 9552 - Fix #9551 - Update date period to include the users TZ
PR: 9597 - Fix #9594 - Don’t convert nl to BR for contact updates
PR: 9635 - Fix #9634 - Add check on cron to show the basic view on first load
PR: 9637 - Fix #9639 - Add styling of email recipient button
PR: 9604 - Fix #9258 - Fix for Notes module advanced date-modified search
PR: 9603 - Fix #9267 - Fix for popup &email reminder options
Special thanks to everyone who reported the security issues addressed in this release!
Vladimir Razov (Positive Technologies)
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 24/05/2022
Important: This release includes critical security fixes, we strongly recommend users of older versions to update as soon as possible
New entries were added to the config. Please make sure to run Rebuild Config File
located in the Administration > Repair menu
Php session_gc is now force enabled by default.
This option can be disabled by setting enable within the session_gc array to false in config.php
The values for session.gc_probability and session.gc_divisor can be changed in the following config.php entries within the session_gc array
gc_probability
gc_divisor
Check php documentation for more information on these settings https://www.php.net/manual/en/session.configuration.php
If you are using a session_dir other than the default, please make sure to have session_gc enabled. Otherwise session files won’t be cleaned.
If you are using debian or ubuntu based systems, and you have the default session_dir (which fallsback to the system default), You may want to set enable within session_gc array to false, as that is the default value for these systems. They have replacements for the php session_gc. Please review your system’s defaults before making any changes.
CVE: Pending - SQL Injection Vulnerability
CVE: Pending - SQL Injection Vulnerability
CVE: Pending - SQL Injection Vulnerability
CVE: Pending - Improper Access Control
CVE: Pending - RCE and CSRF Vulnerability
CVE: Pending - Bypass Vulnerability
PR: 9577 - Update TinyMCE
PR: 9583 - Fix AOR_Report Unit Tests
PR: 9578 - Update Jquery JS Libraries
PR: 8599 - Auto-close success message boxes in ModuleBuilder
PR: 9584 - Fix SCRM-Core#87 - Prevent disabling the default language
PR: 9523 - Fix #9438 - Adding Action keyword to fieldname exception
PR: 9495 - Fix #9494 - Force displaying line breaks to textarea fields
PR: 9580 - Fix #9435 - Dropdown doesn’t return empty selected value
PR: 9522 - Fix #9435 - Dropdown doesn’t return empty selected value
PR: 9581 - Fix #3157 - Add default option to enable session_gc
Special thanks to everyone who reported the security issues addressed in this release!
mounta1n, Exodus Intelligence, Lekhang123lc
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 02/03/2022
This release adds a new index to help improve performance in emails, instances with significantly
large volume of emails may wish to run ALTER TABLE emails ADD INDEX idx_email_uid (uid);
directly on their database prior to the upgrade
to help avoid a potential timeout / long upgrade.
CVE: CVE-2022-23940 - Remote Code Execution
CVE: CVE-2022-0754 - SQL Injection
CVE: CVE-2022-0755 - Improper Access Control
CVE: CVE-2022-0756 - Improper Authorisation
PR: 9478 - Update Github Templates
PR: 9507 - Add getters to SearchResultsController
PR: 9509 - Fix 9508 - Legacy Search Fields are incorrect size.
PR: 9481 - Fix 9480 - Slow to get Imap Mailbox with Mass Record Amounts
PR: 9518 - Fix 4075 - No way to add Email Signature after adding Email Template
PR: 9521 - Fix 9427 - Adding missing help popup help strings in Studio
PR: 9525 - Fix 9468 - Adding Security Suite subpanels to new custom modules
PR: 9452 - Fix 9451 - Missing duplicate merge filter options in Studio
PR: 9446 - Fix 9445 - More than 10 tabs in a views enters in a loop
PR: 8492 - Fix 8366 - V8 API Filtering W/ OR Operator Chained Conditions
Special thanks to everyone who reporting the security issues addressed in this release!
NetbyteSEC www.netbytesec.com, Manuel Zametter
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 10/02/2022
Important: We have now updated UTF-8 repair tool to fix a critical issue where it would mark valid email addresses as deleted in 7.12.3. We would recommend updating to 7.12.4+ to access the fix for this functionality. We would again like to thank the community for their assistance in identifying and highlighting this issue.
Please note that the UTF-8 Repair will not function for user passwords. Therefore, we would advise any users who could be experiencing issues logging in to reset their password accordingly.
PR: 9483 - Fix 9482 - Only save update fields on utf encoding repair
PR: 9391 - Fix 7842 - Do not reset email addresses list upon saving
PR: 9496 - Fix 9496 - Cannot save dropdown values
PR: 9495 - Fix 9495 - Fix duplicate results in basic search
PR: 8476 - Statically Compile EXT Files & Studio Override Precedence
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 27/01/2022
Important - This release resolves an important issue with UTF-8 encoding. Data created from 7.10.30 and 7.11.19 onwards may be wrongly encoded on your database and could therefore result in search issues. To resolve these issues please run the new 'Repair utf encoding' option on the Repair actions via the Admin Tools menu or through Robo CLI.
Important: We have verified an issue with the UTF-8 repair tool marking valid email addresses as deleted. As such, we would discourage users from using the 'Repair utf encoding' option on the Repair actions via the Admin Tools menu or related Robo CLI commands on this version. Please note this is resolved from 7.12.4, please upgrade to this version or above to make use of this feature.
Before running the utf8 data repair command, please have the following into account:
Please make sure to backup your database before you run this action
The data on your tables is going to be updated
The data repair can be executed in two modes: asynchronous
and synchronous
Asynchronous
Default execution mode
It adds a job to the job queue.
It will normalize records in batches.
It requires cron to be configured.
Synchronous
Optional. Can be used in Robo CLI
and in the Repair administration menu
It will repair data on all records in one pass.
Both Robo CLI
and UI page
will only end after all records are repaired
To run using robo, use the following command:
./vendor/bin/robo repair:normalize-record-encoding
To run run using robo in synchronous
run the command with the --sync-run
./vendor/bin/robo repair:normalize-record-encoding --sync-run
For information on more options run:
./vendor/bin/robo repair:normalize-record-encoding --help
Login as admin user
Go to Administration
page
Go to Repair
Go to Repair utf encoding
Please read the warning messages
Optional: Change the settings on the page
Click Submit
You’ll see different output depending on the execution mode you’ve selected
CVE: Pending - SQL Injection
CVE: Pending - Improper Access Control
CVE: CVE-2021-45898 - Local File Inclusion
CVE: CVE-2021-45899 - PHAR Deserialization Vulnerability / RCE
CVE: CVE-2021-45897 - RCE Vulnerability
PR: 9434 - Fix #9434 - Cron notion unit tests fails
PR: 9420 - Fix #8525, #8309 Bulk Action button missing and delete button showing for users with no delete access
PR: 9398 - Fix #9398 - Consistently store dropdowns in $app_list_strings
PR: 9407 - Fix #9406 - Validation displayed static message isn’t correct
PR: 9353 - Fix #9271 - Primary Email property is kept after adding an Email address field
PR: 9410 - Fix #9378 - Filter by Email1 Field Through the API
PR: 9312 - Fix #9312 - Declaring object within StudioClass to remove Strict Warnings
PR: 9387 - Fix #9387 - Clean Historic and Failed Schedulers
PR: 9401 - Fix #9380 - Date action in workflow fails to save
PR: 9409 - Fix #9408 - Emails can’t be deleted from inline edit
PR: 9455 - Fix #9455 - Popup metadata override removed when filtered
Special thanks to everyone who reporting the security issues addressed in this release!
Ihor Bliumental, Manuel Zametter, Cristóbal Leiva
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 17/12/2021
CVE: CVE-2021-45903 - XSS Vulnerability
CVE: CVE-2021-41597 - RCE and CSRF Vulnerability
CVE: Pending - Privilege Escalation vulnerability
CVE: CVE-2021-45041 - Authenticated SQL-Injection in SuiteCRM
PR: 9348 - Fix #9382 - Outbound Emails editview Unsupported operand types fatal in php 8
PR: 9379 - Fix #9374 - OAuth password creation Unsupported operand types fatal in php8
PR: 9087 - Fix #9078 - Allow changing text colors when composing an email
PR: 9377 - Fix #9376 - Allow Workflows to run on imported records
PR: 9030 - Fix #9030 - Campaign Email settings removes Email Settings
PR: 9393 - Fix email message modal buttons
Special thanks to everyone who reporting the security issues addressed in this release!
Konstantin Damotsev, Victor Garcia, Manuel Zametter
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 19/11/2021
CVE: Pending - Fixed file check bypass
CVE: Pending - Local File Inclusion
PR: 9369 - Prevent Email Reminders for Disabled User
Fix 8432 - Remove index limit from mssql index names upon create and repair.
PR: 9334 - Implement PDF extension
PR: 9347 - Fix rebuild scss Robo command
PR: 9357 - Use wildcard rather than the defunct "_all" field
PR: 9351 - Fix 9119 - Rebuild theme cache after custom property changed in Studio
PR: 9368 - Fix 9217 - Revert "Fix Users index incompatible with MSSQL".
PR: 9360 - Fix 9358 - Meeting invite notification emails are not sending to all invitees.
PR: 9361 - Fix 9192: Fix duplication of folders_rel table entries.
PR: 9246 - Fix 6994: Update pollMonitoredInboxesAOP to double check that SugarFolder has been retrieved correctly.
PR: 9367 - Update PDF template warning
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 28/10/2021
PR: 9244 - PDF Engine Selection
MPDF License has be found to no longer be compliant with AGPL3 and due to this the MPDF will not be included in new installs. MPDF will not be removed on upgrade, but the system will default to a new engine, with an option to revert back to the MDPF if required.
PR: 9185 - Noon Theme
PR: 9298 - Implement TCPDFEngine
PR: 9208 - Implement standard PDF Engines
PR: 9187 - Composer 2.0
PR: 9291 - Allow configuring the Calendar name for the Google Sync via config
PR: 9171 - Upgrade ElasticSearch to 7.x
This is the new minimum ElasticSearch version that is required for update.
PR: 9170 - PHPUnit/Codeception Upgrade
PR: 9159 - Implement standard SearchEngines
PR: 9172 - Malicious File Scanning
PR: 9095 - Consolidate global search settings (AOD, Basic)
PR: 9094 - AOD (Lucene) has been Deprecated to be removed in SuiteCRM 8.0
PR: 9321 - Fix TCPDF Scale
PR: 9333 - Deprecate TCPDF
PR: 9335 - Fix PDF Engine Comparability issues
PR: 9186 - Fix missing default config values
PR: 9188 - Fix PDF_Lib constructors
PR: 9324 - Fix search result hits
PR: 9318 - Fix TCPDF Name
PR: 9310 - Fix SearchFormView visible options
PR: 9309 - Update workflow acceptance test
PR: 9296 - Fix CleanCSVTest return types
PR: 9306 - Fix filepath for mPDF class
PR: 9294 - Fix/noon styling issues
PR: 9083 - Update minimum required PHP to v7.3.0
All default config value now set on install
utf8mb4 charset and utf8mb4_general_ci collation now the default on MySQL Databases on new installs
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Released 05/10/2021
PR: 9244 - PDF Engine Selection
MPDF License has be found to no longer be compliant with AGPL3 and due to this the MPDF will not be included in new installs. MPDF will not be removed on upgrade, but the system will default to a new engine, with an option to revert back to the MDPF if required.
PR: 9185 - Noon Theme
PR: 9298 - Implement TCPDFEngine
PR: 9208 - Implement standard PDF Engines
PR: 9187 - Composer 2.0
PR: 9171 - Upgrade ElasticSearch to 7.x
This is the new minimum ElasticSearch version that is required for update.
PR: 9170 - PHPUnit/Codeception Upgrade
PR: 9159 - Implement standard SearchEngines
PR: 9095 - Consolidate global search settings (AOD, Basic)
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Process and send them directly to us via email security@suitecrm.com
Content is available under GNU Free Documentation License 1.3 or later unless otherwise noted.