Suitecrm Security Vulnerabilities and Issues — Suitecrm CVE List

Lucene search

SalesagilitySuitecrm

11 matches found

CVE•added 2021/10/22 7:15 p.m.•96 views

CVE-2021-42840

SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were bl...

9CVSS9.1AI score0.52665EPSS

CVE•added 2021/04/30 10:15 p.m.•77 views

CVE-2021-31792

XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field

5.4CVSS5.1AI score0.00379EPSS

CVE•added 2021/12/19 9:15 a.m.•47 views

CVE-2021-45041

SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.

8.8CVSS9AI score0.19908EPSS

CVE•added 2021/08/18 1:15 a.m.•39 views

CVE-2021-39267

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (suc...

6.1CVSS6AI score0.00723EPSS

CVE•added 2021/09/29 2:15 p.m.•38 views

CVE-2021-25960

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the ...

8CVSS7.5AI score0.00528EPSS

CVE•added 2021/10/04 7:15 a.m.•38 views

CVE-2021-41869

SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.

8.8CVSS8.7AI score0.00883EPSS

CVE•added 2021/12/28 2:15 p.m.•38 views

CVE-2021-45903

A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.

6.1CVSS5.8AI score0.00723EPSS

CVE•added 2021/08/18 1:15 a.m.•37 views

CVE-2021-39268

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.

6.1CVSS5.8AI score0.00411EPSS

CVE•added 2021/10/04 5:15 p.m.•35 views

CVE-2021-41595

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.

5.3CVSS5.2AI score0.00269EPSS

CVE•added 2021/09/29 2:15 p.m.•33 views

CVE-2021-25961

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

8CVSS7.9AI score0.00334EPSS

CVE•added 2021/10/04 5:15 p.m.•33 views

CVE-2021-41596

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.

5.3CVSS5.2AI score0.00302EPSS