SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
SuiteCRM 7.11.18 Remote Code Execution
SuiteCRM 7.11.15 Remote Code Execution
SuiteCRM Log File Remote Code Execution
Exploit for Unrestricted Upload of File with Dangerous Type in Salesagility Suitecrm
SuiteCRM Remote Code Execution (CVE-2020-28328)
SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)