SuiteCRM Security Vulnerabilities
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the /legacy route. Version 8.6.1 contains a patch for the...
4.3CVSS
4.8AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
8.5CVSS
8.7AI Score
0.0004EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...
8.6CVSS
8.4AI Score
0.0005EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
9CVSS
5.4AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
7.7CVSS
7.6AI Score
0.0005EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.1CVSS
9.5AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
8.9CVSS
8.3AI Score
0.0004EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.6CVSS
9.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
10CVSS
9.8AI Score
0.048EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.6CVSS
9.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.6CVSS
9.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is.....
6.5CVSS
4.4AI Score
0.0005EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the Alerts controller. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.6CVSS
9.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this...
5.4CVSS
5.4AI Score
0.001EPSS
Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is vulnerable to...
5CVSS
5.2AI Score
0.0004EPSS
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...
5.3CVSS
5.1AI Score
0.404EPSS
Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
8.8CVSS
8.1AI Score
0.001EPSS
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
8.8CVSS
8AI Score
0.0005EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
5.4CVSS
5.4AI Score
0.0004EPSS
Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
5.4CVSS
5.5AI Score
0.0004EPSS
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
9.8CVSS
7AI Score
0.001EPSS
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
8.8CVSS
7.2AI Score
0.0005EPSS
Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2,...
4.3CVSS
4.7AI Score
0.0004EPSS
6.5CVSS
6.8AI Score
0.0005EPSS
9.1CVSS
8.1AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to...
5.4CVSS
5.6AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to...
8.8CVSS
8.6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to...
4.8CVSS
5.1AI Score
0.001EPSS
Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to...
8.8CVSS
6.3AI Score
0.001EPSS
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text...
7.2CVSS
7.3AI Score
0.003EPSS
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report,...
8.8CVSS
8.7AI Score
0.003EPSS
4.3CVSS
4.6AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
6.5CVSS
6.9AI Score
0.001EPSS
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code...
9.8CVSS
9.8AI Score
0.005EPSS
8.8CVSS
9AI Score
0.007EPSS
9.8CVSS
9.1AI Score
0.002EPSS
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP...
8.8CVSS
8.8AI Score
0.005EPSS
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and...
6.1CVSS
5.8AI Score
0.002EPSS
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and...
8.8CVSS
9AI Score
0.001EPSS
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were...
8.8CVSS
9.1AI Score
0.089EPSS
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import...
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import...
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege...
8.8CVSS
8.7AI Score
0.002EPSS
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user...
8CVSS
7.8AI Score
0.002EPSS
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the....
8CVSS
7.4AI Score
0.002EPSS
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be...
6.1CVSS
5.8AI Score
0.001EPSS
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution...
6.1CVSS
6AI Score
0.002EPSS
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name...
5.4CVSS
5.1AI Score
0.001EPSS
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG...
6.1CVSS
6.1AI Score
0.001EPSS