SugarCRM contains a flaw related to the logging functionality that may allow a remote attacker to execute arbitrary code. The issue is due to the administrator being able to specify any name for a log file, including one with a .php extension. By renaming the file and injecting log content, the log can be called directly to execute arbitrary PHP code.
Remote / Network Access
Loss of Integrity
Upgrade to version 6.5.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.