Lucene search

K

SuiteCRM Security Vulnerabilities

cve
cve

CVE-2024-36419

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the /legacy route. Version 8.6.1 contains a patch for the...

4.3CVSS

4.8AI Score

0.001EPSS

2024-06-10 10:15 PM
23
cve
cve

CVE-2024-36418

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

8.5CVSS

8.7AI Score

0.0004EPSS

2024-06-10 09:15 PM
24
cve
cve

CVE-2024-36416

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

8.6CVSS

8.4AI Score

0.0005EPSS

2024-06-10 08:15 PM
24
cve
cve

CVE-2024-36414

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

7.7CVSS

7.6AI Score

0.0005EPSS

2024-06-10 08:15 PM
22
cve
cve

CVE-2024-36417

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

9CVSS

5.4AI Score

0.001EPSS

2024-06-10 08:15 PM
28
cve
cve

CVE-2024-36415

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.1CVSS

9.5AI Score

0.001EPSS

2024-06-10 08:15 PM
26
cve
cve

CVE-2024-36413

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

8.9CVSS

8.3AI Score

0.0004EPSS

2024-06-10 08:15 PM
21
cve
cve

CVE-2024-36411

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

9.7AI Score

0.001EPSS

2024-06-10 08:15 PM
24
cve
cve

CVE-2024-36412

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

10CVSS

9.8AI Score

0.001EPSS

2024-06-10 08:15 PM
30
cve
cve

CVE-2024-36410

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

9.7AI Score

0.001EPSS

2024-06-10 06:15 PM
24
cve
cve

CVE-2024-36409

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

9.7AI Score

0.001EPSS

2024-06-10 06:15 PM
24
cve
cve

CVE-2024-36407

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is.....

6.5CVSS

4.4AI Score

0.0005EPSS

2024-06-10 05:16 PM
24
cve
cve

CVE-2024-36408

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the Alerts controller. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

9.7AI Score

0.001EPSS

2024-06-10 05:16 PM
24
cve
cve

CVE-2024-36406

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this...

5.4CVSS

5.4AI Score

0.001EPSS

2024-06-10 03:15 PM
22
cve
cve

CVE-2023-6388

Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is vulnerable to...

5CVSS

5.2AI Score

0.0004EPSS

2024-02-07 03:15 AM
17
cve
cve

CVE-2023-47643

SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...

5.3CVSS

5.1AI Score

0.404EPSS

2023-11-21 08:15 PM
22
cve
cve

CVE-2023-6130

Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...

8.8CVSS

8.1AI Score

0.001EPSS

2023-11-14 05:15 PM
35
cve
cve

CVE-2023-6131

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...

8.8CVSS

8AI Score

0.0005EPSS

2023-11-14 05:15 PM
27
cve
cve

CVE-2023-6128

Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...

5.4CVSS

5.4AI Score

0.0004EPSS

2023-11-14 04:15 PM
35
cve
cve

CVE-2023-6127

Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...

5.4CVSS

5.5AI Score

0.0004EPSS

2023-11-14 04:15 PM
33
cve
cve

CVE-2023-6126

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...

9.8CVSS

7AI Score

0.001EPSS

2023-11-14 04:15 PM
28
cve
cve

CVE-2023-6125

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...

8.8CVSS

7.2AI Score

0.0005EPSS

2023-11-14 04:15 PM
28
cve
cve

CVE-2023-6124

Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2,...

4.3CVSS

4.7AI Score

0.0004EPSS

2023-11-14 03:15 PM
30
cve
cve

CVE-2023-5353

Improper Access Control in GitHub repository salesagility/suitecrm prior to...

6.5CVSS

6.8AI Score

0.0005EPSS

2023-10-03 01:15 PM
71
cve
cve

CVE-2023-5350

SQL Injection in GitHub repository salesagility/suitecrm prior to...

9.1CVSS

8.1AI Score

0.001EPSS

2023-10-03 12:15 PM
66
cve
cve

CVE-2023-5351

Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to...

5.4CVSS

5.6AI Score

0.0004EPSS

2023-10-03 12:15 PM
21
cve
cve

CVE-2023-3627

Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to...

8.8CVSS

8.6AI Score

0.001EPSS

2023-07-11 05:15 PM
22
cve
cve

CVE-2023-3293

Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to...

4.8CVSS

5.1AI Score

0.001EPSS

2023-06-16 11:15 AM
16
cve
cve

CVE-2023-1034

Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to...

8.8CVSS

6.3AI Score

0.001EPSS

2023-02-25 02:15 AM
32
cve
cve

CVE-2022-27474

SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text...

7.2CVSS

7.3AI Score

0.003EPSS

2022-04-15 01:15 PM
54
cve
cve

CVE-2022-23940

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report,...

8.8CVSS

8.7AI Score

0.003EPSS

2022-03-10 05:45 PM
68
cve
cve

CVE-2022-0755

Missing Authorization in GitHub repository salesagility/suitecrm prior to...

4.3CVSS

4.6AI Score

0.001EPSS

2022-03-07 01:15 PM
77
cve
cve

CVE-2022-0756

Missing Authorization in GitHub repository salesagility/suitecrm prior to...

6.5CVSS

6.4AI Score

0.001EPSS

2022-03-07 01:15 PM
59
cve
cve

CVE-2022-0754

SQL Injection in GitHub repository salesagility/suitecrm prior to...

6.5CVSS

6.9AI Score

0.001EPSS

2022-03-07 01:15 PM
63
cve
cve

CVE-2021-45899

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code...

9.8CVSS

9.8AI Score

0.005EPSS

2022-01-28 05:15 PM
33
cve
cve

CVE-2021-45898

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file...

9.8CVSS

9.1AI Score

0.002EPSS

2022-01-28 05:15 PM
36
cve
cve

CVE-2021-45897

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code...

8.8CVSS

9AI Score

0.007EPSS

2022-01-28 05:15 PM
44
cve
cve

CVE-2021-41597

SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP...

8.8CVSS

8.8AI Score

0.005EPSS

2022-01-12 08:15 PM
26
cve
cve

CVE-2021-45903

A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and...

6.1CVSS

5.8AI Score

0.002EPSS

2021-12-28 02:15 PM
25
cve
cve

CVE-2021-45041

SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and...

8.8CVSS

9AI Score

0.001EPSS

2021-12-19 09:15 AM
28
cve
cve

CVE-2021-42840

SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were...

8.8CVSS

9.1AI Score

0.089EPSS

2021-10-22 07:15 PM
59
cve
cve

CVE-2021-41595

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import...

5.3CVSS

5.2AI Score

0.001EPSS

2021-10-04 05:15 PM
23
cve
cve

CVE-2021-41596

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import...

5.3CVSS

5.2AI Score

0.001EPSS

2021-10-04 05:15 PM
20
cve
cve

CVE-2021-41869

SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege...

8.8CVSS

8.7AI Score

0.002EPSS

2021-10-04 07:15 AM
25
cve
cve

CVE-2021-25961

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user...

8CVSS

7.8AI Score

0.002EPSS

2021-09-29 02:15 PM
18
cve
cve

CVE-2021-25960

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the....

8CVSS

7.4AI Score

0.002EPSS

2021-09-29 02:15 PM
20
cve
cve

CVE-2021-39268

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be...

6.1CVSS

5.8AI Score

0.001EPSS

2021-08-18 01:15 AM
21
2
cve
cve

CVE-2021-39267

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution...

6.1CVSS

6AI Score

0.002EPSS

2021-08-18 01:15 AM
22
2
cve
cve

CVE-2021-31792

XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name...

5.4CVSS

5.1AI Score

0.001EPSS

2021-04-30 10:15 PM
60
4
cve
cve

CVE-2020-15300

SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG...

6.1CVSS

6.1AI Score

0.001EPSS

2020-11-18 10:15 PM
25
Total number of security vulnerabilities79