CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Salesagility » Suitecrm » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-23940 502 Exec Code 2022-03-10 2022-03-16
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.
2 CVE-2022-0756 863 2022-03-07 2022-03-11
4.0
None Remote Low ??? Partial None None
Improper Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
3 CVE-2022-0755 287 2022-03-07 2022-03-11
4.0
None Remote Low ??? None Partial None
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.12.5.
4 CVE-2022-0754 89 Sql 2022-03-07 2022-03-11
4.0
None Remote Low ??? Partial None None
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
5 CVE-2021-45903 79 XSS 2021-12-28 2022-01-06
4.3
None Remote Medium Not required None Partial None
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
6 CVE-2021-45899 502 Exec Code 2022-01-28 2022-02-02
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
7 CVE-2021-45898 File Inclusion 2022-01-28 2022-02-02
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
8 CVE-2021-45897 Exec Code 2022-01-28 2022-02-10
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
9 CVE-2021-45041 89 Sql 2021-12-19 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
10 CVE-2021-42840 434 Exec Code 2021-10-22 2021-11-30
9.0
None Remote Low ??? Complete Complete Complete
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
11 CVE-2021-41869 2021-10-04 2022-07-12
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
12 CVE-2021-41597 352 Exec Code CSRF 2022-01-12 2022-01-19
6.8
None Remote Medium Not required Partial Partial Partial
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
13 CVE-2021-41596 22 Dir. Trav. 2021-10-04 2021-10-12
5.0
None Remote Low Not required Partial None None
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
14 CVE-2021-41595 22 Dir. Trav. 2021-10-04 2021-10-12
5.0
None Remote Low Not required Partial None None
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
15 CVE-2021-39268 79 XSS Bypass 2021-08-18 2021-08-24
4.3
None Remote Medium Not required None Partial None
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
16 CVE-2021-39267 79 XSS Bypass 2021-08-18 2021-08-24
4.3
None Remote Medium Not required None Partial None
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
17 CVE-2021-31792 79 XSS 2021-04-30 2021-05-03
3.5
None Remote Medium ??? None Partial None
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
18 CVE-2021-25961 640 2021-09-29 2021-10-07
6.0
None Remote Medium ??? Partial Partial Partial
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
19 CVE-2021-25960 1236 Bypass 2021-09-29 2021-10-07
6.0
None Remote Medium ??? Partial Partial Partial
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
20 CVE-2020-28328 434 Exec Code 2020-11-06 2021-12-02
9.0
None Remote Low ??? Complete Complete Complete
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
21 CVE-2020-15301 1236 2020-11-18 2020-12-02
6.8
None Remote Medium Not required Partial Partial Partial
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
22 CVE-2020-15300 601 2020-11-18 2020-12-01
5.8
None Remote Medium Not required Partial Partial None
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
23 CVE-2020-14208 79 XSS 2020-11-18 2020-11-21
3.5
None Remote Medium ??? None Partial None
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
24 CVE-2020-8804 89 Sql 2020-02-13 2020-02-25
4.0
None Remote Low ??? Partial None None
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
25 CVE-2020-8803 22 Dir. Trav. 2020-02-13 2020-02-19
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
26 CVE-2020-8802 89 Sql 2020-02-13 2020-02-19
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
27 CVE-2020-8801 74 2020-02-13 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM through 7.11.11 allows PHAR Deserialization.
28 CVE-2020-8800 74 2020-02-13 2020-02-19
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
29 CVE-2020-8787 20 2020-03-16 2020-03-18
5.0
None Remote Low Not required None Partial None
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
30 CVE-2020-8786 89 Sql 2020-03-16 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
31 CVE-2020-8785 89 Sql 2020-03-16 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
32 CVE-2020-8784 89 Sql 2020-03-16 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
33 CVE-2020-8783 89 Sql 2020-03-16 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
34 CVE-2019-18784 89 Sql 2019-11-06 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
35 CVE-2019-18782 2020-03-20 2020-04-01
5.0
None Remote Low Not required Partial None None
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.
36 CVE-2019-16922 200 +Info 2019-09-27 2021-07-21
5.0
None Remote Low Not required Partial None None
SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
37 CVE-2019-14752 79 XSS 2019-09-30 2019-10-02
4.3
None Remote Medium Not required None Partial None
SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS.
38 CVE-2019-14454 2019-10-02 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
39 CVE-2019-13335 918 2019-10-02 2019-10-08
7.5
None Remote Low Not required Partial Partial Partial
SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.
40 CVE-2019-12601 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
41 CVE-2019-12600 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
42 CVE-2019-12599 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.
43 CVE-2019-12598 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
44 CVE-2018-20816 352 XSS CSRF 2019-04-05 2021-07-22
4.3
None Remote Medium Not required None Partial None
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.
45 CVE-2018-15606 79 XSS 2018-09-26 2018-11-15
4.3
None Remote Medium Not required None Partial None
An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
46 CVE-2015-5948 362 Exec Code 2017-09-06 2017-09-09
9.3
None Remote Medium Not required Complete Complete Complete
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
47 CVE-2015-5947 362 Exec Code 2017-09-06 2020-06-12
6.8
None Remote Medium Not required Partial Partial Partial
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
Total number of vulnerabilities : 47   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.