Suitecrm Security Vulnerabilities and Issues — Suitecrm CVE List

Lucene search

SalesagilitySuitecrm

15 matches found

CVE•added 2020/11/06 7:15 p.m.•116 views

CVE-2020-28328

SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.

9CVSS8.8AI score0.52665EPSS

CVE•added 2020/03/20 1:15 a.m.•74 views

CVE-2019-18782

SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.

5.3CVSS5.2AI score0.00206EPSS

CVE•added 2020/03/16 10:15 p.m.•60 views

CVE-2020-8783

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).

9.8CVSS9.8AI score0.00435EPSS

CVE•added 2020/03/16 10:15 p.m.•53 views

CVE-2020-8786

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).

9.8CVSS9.8AI score0.00435EPSS

CVE•added 2020/03/16 10:15 p.m.•52 views

CVE-2020-8785

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).

9.8CVSS9.8AI score0.00435EPSS

CVE•added 2020/02/13 4:15 p.m.•51 views

CVE-2020-8800

SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.

8.8CVSS8.7AI score0.00488EPSS

CVE•added 2020/03/16 10:15 p.m.•50 views

CVE-2020-8784

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).

9.8CVSS9.8AI score0.00435EPSS

CVE•added 2020/02/13 4:15 p.m.•50 views

CVE-2020-8803

SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.

9.8CVSS9.4AI score0.0096EPSS

CVE•added 2020/03/16 10:15 p.m.•47 views

CVE-2020-8787

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.

7.5CVSS7.5AI score0.0021EPSS

CVE•added 2020/02/13 4:15 p.m.•47 views

CVE-2020-8804

SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.

6.5CVSS7AI score0.00354EPSS

CVE•added 2020/02/13 4:15 p.m.•44 views

CVE-2020-8801

SuiteCRM through 7.11.11 allows PHAR Deserialization.

7.2CVSS6.9AI score0.00476EPSS

CVE•added 2020/11/18 10:15 p.m.•41 views

CVE-2020-15300

SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.

6.1CVSS6.1AI score0.00285EPSS

CVE•added 2020/02/13 4:15 p.m.•41 views

CVE-2020-8802

SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.

9.8CVSS9.5AI score0.005EPSS

CVE•added 2020/11/18 10:15 p.m.•38 views

CVE-2020-14208

SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.

5.4CVSS5AI score0.00154EPSS

CVE•added 2020/11/18 9:15 p.m.•38 views

CVE-2020-15301

SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.

7.8CVSS7.7AI score0.00273EPSS