Description
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
Remediation
References
Related Vulnerabilities
WordPress Plugin UPM Polls 'PID' Parameter SQL Injection (1.0.4)
Rukovoditel Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-20166)
WordPress Plugin Xorbin Digital Flash Clock Cross-Site Scripting (1.0)
ownCloud Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-0204)