Three Patches for Sage CRM are now available and have been distributed to the Sage Regions.

• Sage CRM 2021 R2.5
• Sage CRM 2022 R2.4
• Sage CRM 2023 R2.2

These patches resolve a few internal issues and provide a new system feature to control of application security.

Enhancements

A new checkbox Allow external URLs in website gadgets in the system behaviour settings allows system administrators to enable or disable external URLs in the website gadgets.

Allowing external URLs makes Sage CRM less secure, because users can be potentially redirected to a malicious URL.

Note: An Interactive Dashboard Website Gadget will not display website pages configured to prevent pages from being loaded within an iframe on another domain. Using Firefox, the following message may be displayed "To protect your security, <URL> will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window." Other browsers will not display a message. This is a server HTTP Response Header setting and not a CRM bug.

Improvements

• Apache Solr has been upgraded to version 8.
• Mitigation has been provided to prevent SQL injection attack within certain fields.
• A fix has been applied to an error that occurred when a user uploaded a file whose name contained an ampersand (&) to Sage CRM.

The following direct upgrades are supported:

• 2021 R1 - 2021 R2.5
• 2021 R2 - 2021 R2.5
• 2022 R1 - 2022 R2.4
• 2022 R2 - 2022 R2.4
• 2023 R1 - 2023 R2.2
• 2023 R2 - 2023 R2.2

Please note that these patches apply to Sage CRM standalone and when integrated with Sage accounting products; Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.

The Sage Regions will announce the appropriate download links shortly, and share the status of their application to integrated products.

In all cases, it’s our advice the patches are applied as soon as possible.