Bitnami package
suitecrm
pkg:bitnami/suitecrm
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54786 | — | >= 7.14.6, < 7.14.7 | 7.14.7 | Aug 6, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's | ||
| CVE-2022-45186 | — | >= 7.12.7, <= 7.12.7 | — | Jan 7, 2025 | An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database. | ||
| CVE-2022-45185 | — | >= 7.12.7, <= 7.12.7 | — | Jan 7, 2025 | An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution. | ||
| CVE-2024-50335 | — | < 7.14.6 | 7.14.6 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This | ||
| CVE-2024-50333 | — | < 7.14.6 | 7.14.6 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language fil | ||
| CVE-2024-50332 | — | < 7.14.6 | 7.14.6 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade | ||
| CVE-2024-49774 | — | < 7.14.6 | 7.14.6 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses | ||
| CVE-2024-49773 | — | < 7.14.6 | 7.14.6 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` en | ||
| CVE-2024-49772 | — | < 7.14.6 | 7.14.6 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database. Th | ||
| CVE-2024-45392 | — | < 7.14.5 | 7.14.5 | Sep 5, 2024 | SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue. | ||
| CVE-2024-36419 | — | < 8.6.1 | 8.6.1 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue. | ||
| CVE-2024-36418 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue | ||
| CVE-2024-36416 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||
| CVE-2024-36417 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this is | ||
| CVE-2024-36415 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||
| CVE-2024-36414 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||
| CVE-2024-36413 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||
| CVE-2024-36412 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||
| CVE-2024-36411 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||
| CVE-2024-36410 | — | < 7.14.4 | 7.14.4 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. |
- CVE-2025-54786Aug 6, 2025affected >= 7.14.6, < 7.14.7fixed 7.14.7
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's
- CVE-2022-45186Jan 7, 2025affected >= 7.12.7, <= 7.12.7
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
- CVE-2022-45185Jan 7, 2025affected >= 7.12.7, <= 7.12.7
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.
- CVE-2024-50335Nov 5, 2024affected < 7.14.6fixed 7.14.6
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This
- CVE-2024-50333Nov 5, 2024affected < 7.14.6fixed 7.14.6
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language fil
- CVE-2024-50332Nov 5, 2024affected < 7.14.6fixed 7.14.6
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade
- CVE-2024-49774Nov 5, 2024affected < 7.14.6fixed 7.14.6
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses
- CVE-2024-49773Nov 5, 2024affected < 7.14.6fixed 7.14.6
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` en
- CVE-2024-49772Nov 5, 2024affected < 7.14.6fixed 7.14.6
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database. Th
- CVE-2024-45392Sep 5, 2024affected < 7.14.5fixed 7.14.5
SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue.
- CVE-2024-36419Jun 10, 2024affected < 8.6.1fixed 8.6.1
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
- CVE-2024-36418Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue
- CVE-2024-36416Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36417Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this is
- CVE-2024-36415Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36414Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36413Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36412Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36411Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36410Jun 10, 2024affected < 7.14.4fixed 7.14.4
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
Page 1 of 4