Sugar Enterprise 25.1.3 Release Notes
Overview
This document describes the changes and functionality available in Sugar Enterprise 25.1.3. Sugar 25.1.3 is available for customers on the annual upgrade path. For customers upgrading from 14.0.4, please refer to the Sugar 25.1.x release notes for additional features, fixed issues, and developer changes occurring between versions 14.0.4 and 25.1.3.
Fixed Issues
Sugar 25.1.3 is a security update released to address certain security vulnerabilities identified during our routine QA checks.
We strongly recommend that you install this update at the earliest opportunity. While we have not experienced any reported incidents relating to these vulnerabilities to date, failure to install this update could leave you exposed to malicious third-party attacks. For more information, please click the link below to expand or collapse the Security Advisories.
Security Advisories
- Security Advisory sugarcrm-sa-2026-001: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-002: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-003: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-004: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-005: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-006: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-007: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-008: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-009: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-010: A Broken Access Control Issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-011: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-012: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-013: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-014: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-015: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-016: A Cross-Site Request Forgery issue impacting regular users was identified. The Cross-Site Request Forgery issue has been fixed.
- Security Advisory sugarcrm-sa-2026-017: A Cross-Site Scripting issue impacting admin users was identified. The Cross-Site Scripting issue has been fixed.
- Security Advisory sugarcrm-sa-2026-018: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-019: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-020: A HTTP Host Header Injection issue impacting any user was identified. The HTTP Host Header Injection issue has been fixed.
- Security Advisory sugarcrm-sa-2026-021: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-022: A Cross-Site Request Forgery issue impacting admin users was identified. The Cross-Site Request Forgery issue has been fixed.
- Security Advisory sugarcrm-sa-2026-023: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-024: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-025: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-026: A Privilege Escalation issue impacting regular users was identified. The Privilege Escalation issue has been fixed.
- Security Advisory sugarcrm-sa-2026-027: A Broken Access Control issue impacting regular users was identified. The Broken Access Control issue has been fixed.
- Security Advisory sugarcrm-sa-2026-028: A Regular Expression Denial of Service issue impacting any user was identified. The Regular Expression Denial of Service issue has been fixed.
- Security Advisory sugarcrm-sa-2026-029: A Regular Expression Denial of Service issue impacting any user was identified. The Regular Expression Denial of Service issue has been fixed.
- Security Advisory sugarcrm-sa-2026-030: A Use of Hard-coded Credentials issue impacting any user was identified. The Use of Hard-coded Credentials issue has been fixed.
These vulnerabilities have been addressed in release 25.1.3, which is available for download from the Download Manager.
Administrators are strongly encouraged to upgrade their Sugar instances running 25.1.2 or lower to version 25.1.3 to prevent potential exploitation of these weaknesses.
The following issues have been resolved in this release:
- In certain circumstances, accessing the activity stream view from a module's list view (e.g., Cases) resulted in a 500 error. This issue has been fixed, and users can now access the Activity Stream in the module's list view as expected.
- Sugar failed to send multiple campaign emails when the system’s outbound email setting was configured for Exchange Online. Now, multiple campaign emails are sent without errors in Sugar.
- Dates displayed incorrectly in reports for users using the UK date format (e.g., DD-MM-YYYY). Dates in reports now display correctly for users using the UK date format.
- In certain circumstances, installing Sugar 25.1.x failed to complete and resulted in an error. This has been fixed, and the installation now completes successfully.
- Repeat-type fields in Meetings did not respect the field-level permissions set for a role. The field-level permissions set for Repeat-type fields are now respected properly in Sugar.
- The default refresh token lifetime setting was not respected for SugarIdentity-enabled instances and caused refresh tokens to expire within 24 hours, which resulted in user session timeouts. This issue has been fixed, and the user sessions for SugarIdentity-enabled instances no longer expire after 24 hours.
Supported Platforms
For information on supported platform components, see Sugar 25.1.x Supported Platforms.
Upgrade Paths
Sugar Enterprise Upgrade Paths
| Package | From Version(s) | MySQL | SQLServer | DB2 | Oracle |
| New Installs | ✓ | ✓ | ✓ | ✓ | |
| 14.0.4-to-25.1.3 | 14.0.4 | ✓ | ✓ | ✓ | ✓ |
| 25.1.x-to-25.1.3 | 25.1.0, 25.1.1, 25.1.2 | ✓ | ✓ | ✓ | ✓ |