Salesagility Security Vulnerabilities
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...
5.3CVSS
7AI Score
0.062EPSS
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
7.2CVSS
7.6AI Score
0.0005EPSS
Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2,...
5CVSS
7.2AI Score
0.0004EPSS
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
5.4CVSS
7.6AI Score
0.0005EPSS
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
4.3CVSS
7.6AI Score
0.001EPSS
Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
5.4CVSS
7.2AI Score
0.0004EPSS
Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
7.5CVSS
7.1AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,...
6.8CVSS
6.4AI Score
0.0004EPSS
8.1CVSS
6.5AI Score
0.0005EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to...
8.9CVSS
5.3AI Score
0.0004EPSS
6.4CVSS
9.6AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to...
8.1CVSS
8.8AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
4.3CVSS
4.6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to...
7.6CVSS
4.9AI Score
0.001EPSS
Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to...
4.3CVSS
8.7AI Score
0.001EPSS
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text...
7.2CVSS
7.3AI Score
0.003EPSS
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report,...
8.8CVSS
8.8AI Score
0.003EPSS
6.5CVSS
6.9AI Score
0.001EPSS
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code...
9.8CVSS
9.7AI Score
0.005EPSS
8.8CVSS
9AI Score
0.007EPSS
9.8CVSS
9.1AI Score
0.002EPSS
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP...
8.8CVSS
8.8AI Score
0.005EPSS
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and...
6.1CVSS
6AI Score
0.002EPSS
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and...
8.8CVSS
9AI Score
0.001EPSS
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were...
8.8CVSS
9.2AI Score
0.073EPSS
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import...
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import...
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege...
8.8CVSS
8.6AI Score
0.002EPSS
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the....
8CVSS
7.5AI Score
0.002EPSS
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user...
8CVSS
7.8AI Score
0.002EPSS
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be...
6.1CVSS
5.9AI Score
0.001EPSS
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution...
6.1CVSS
6.1AI Score
0.002EPSS
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name...
5.4CVSS
5.2AI Score
0.001EPSS
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG...
6.1CVSS
7.3AI Score
0.001EPSS
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or...
5.4CVSS
5.8AI Score
0.001EPSS
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template...
7.8CVSS
7.9AI Score
0.001EPSS
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web...
8.8CVSS
8.9AI Score
0.078EPSS
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection...
5.3CVSS
7.3AI Score
0.001EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of...
9.8CVSS
8.7AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of...
9.8CVSS
8.7AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of...
9.8CVSS
8.7AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of...
9.8CVSS
8.7AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be...
7.5CVSS
7.4AI Score
0.001EPSS
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean...
9.8CVSS
6.9AI Score
0.007EPSS
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via...
9.8CVSS
6.9AI Score
0.032EPSS
8.8CVSS
6.9AI Score
0.002EPSS
7.2CVSS
6.8AI Score
0.002EPSS
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge...
6.5CVSS
8.2AI Score
0.004EPSS
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL...
9.8CVSS
8.1AI Score
0.002EPSS