Description SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. Remediation References CVE-2019-17304 Related Vulnerabilities Zenphoto Other Vulnerability (CVE-2007-0616) WordPress 4.1.x Cross-Domain Flash Injection Vulnerability (4.1 - 4.1.21) Vulnerable package dependencies [low] qdPM Sensitive Information Disclosure Vulnerability (CVE-2015-3882) Joomla! Core 3.x.x SQL Injection (3.2.0 - 3.4.4) Severity High Classification CVE-2019-17304 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Tags Missing Update Known Vulnerabilities