M. Cory Billington

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.11.19 **Description** The issue allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, the `logger file name` can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. **Recommendations** For versions prior to 7.11.19, update to version 7.11.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the system settings Log File Name setting to minimize the risk of exploitation. Avoid using the `logger file name` setting in a way that could allow an attacker to control the PHP file under the web root until the issue is resolved.