How to solve vulnerabilities without upgrade version

I have the suitecrm 7.10 version installed with a lot of customization, even in core . And I saw these vulnerabilities:

SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS.
SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.

Is it possible to keep my 7.10 version and solve these problems ? Can I check, in advance,
which files would be overriden if i have to install a patch ?

Its very important to know which files would be overriden once a I have too much customization


It’s hard to determine exactly, because security fixes are not always made obvious for, well, security reasons. The best-practice is to avoid immediate disclosure, to allow people to have time to deploy the patched versions.

So you can achieve what you want if you examine all that happens on GitHub very closely, on code level (not just reading Issues and PR’s). But that is too much work, and too complex.

Bottom-line: there’s no way around it, you really need to keep your system upgrade-safe, and upgrade often. An un-upgradable system is an insecure system, period. You need to correct the way you’re managing your project.

It’s likely that many customizations you did in core could be moved to the custom directory with some skill. It’s not always obvious, and it’s not always just a matter of copying files to the custom dir, sometimes it’s done with the Extension Mechanism, sometimes it’s by changing the references to module files metadata, etc.

Even if you eventually need to make changes in core, that’s what you should be managing in detail, at code level. Some people keep exact lists of all customizations, even if there’s dozens of them (especially if there’s dozens of them!) and carefully verify or re-apply after each upgrade.