Bitnami package
suitecrm
pkg:bitnami/suitecrm
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-27474 | — | >= 7.11.23, < 7.11.24 | 7.11.24 | Apr 15, 2022 | SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field. | ||
| CVE-2022-23940 | — | < 7.12.5 | 7.12.5 | Mar 7, 2022 | SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious | ||
| CVE-2022-0754 | — | < 7.12.5 | 7.12.5 | Mar 7, 2022 | SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5. | ||
| CVE-2022-0756 | — | < 7.12.5 | 7.12.5 | Mar 7, 2022 | Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | ||
| CVE-2022-0755 | — | < 7.12.5 | 7.12.5 | Mar 7, 2022 | Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | ||
| CVE-2021-45899 | — | < 7.12.3 | 7.12.3 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution. | ||
| CVE-2021-45898 | — | < 7.12.3 | 7.12.3 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion. | ||
| CVE-2021-45897 | — | < 7.12.3 | 7.12.3 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution. | ||
| CVE-2021-41597 | — | >= 7.10.0, < 7.10.35 | 7.10.35 | Jan 12, 2022 | SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive. | ||
| CVE-2021-45903 | — | < 7.10.35 | 7.10.35 | Dec 28, 2021 | A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268. | ||
| CVE-2021-45041 | — | < 7.12.2 | 7.12.2 | Dec 19, 2021 | SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. | ||
| CVE-2021-42840 | — | < 7.11.19 | 7.11.19 | Oct 22, 2021 | SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file | ||
| CVE-2021-41596 | — | < 7.10.33 | 7.10.33 | Oct 4, 2021 | SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality. | ||
| CVE-2021-41595 | — | < 7.10.33 | 7.10.33 | Oct 4, 2021 | SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality. | ||
| CVE-2021-41869 | — | >= 7.10.0, < 7.10.33 | 7.10.33 | Oct 4, 2021 | SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation. | ||
| CVE-2021-25960 | — | >= 7.10.29, < 7.10.32 | 7.10.32 | Sep 29, 2021 | In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts mo | ||
| CVE-2021-25961 | — | >= 7.1.7, < 7.10.32 | 7.10.32 | Sep 29, 2021 | In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | ||
| CVE-2021-39267 | — | < 7.11.19 | 7.11.19 | Aug 18, 2021 | Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaSc | ||
| CVE-2021-39268 | — | < 7.11.19 | 7.11.19 | Aug 18, 2021 | Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed. | ||
| CVE-2021-31792 | — | < 7.11.19 | 7.11.19 | Apr 30, 2021 | XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field |
- CVE-2022-27474Apr 15, 2022affected >= 7.11.23, < 7.11.24fixed 7.11.24
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
- CVE-2022-23940Mar 7, 2022affected < 7.12.5fixed 7.12.5
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious
- CVE-2022-0754Mar 7, 2022affected < 7.12.5fixed 7.12.5
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
- CVE-2022-0756Mar 7, 2022affected < 7.12.5fixed 7.12.5
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
- CVE-2022-0755Mar 7, 2022affected < 7.12.5fixed 7.12.5
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
- CVE-2021-45899Jan 28, 2022affected < 7.12.3fixed 7.12.3
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
- CVE-2021-45898Jan 28, 2022affected < 7.12.3fixed 7.12.3
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
- CVE-2021-45897Jan 28, 2022affected < 7.12.3fixed 7.12.3
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
- CVE-2021-41597Jan 12, 2022affected >= 7.10.0, < 7.10.35fixed 7.10.35
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
- CVE-2021-45903Dec 28, 2021affected < 7.10.35fixed 7.10.35
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
- CVE-2021-45041Dec 19, 2021affected < 7.12.2fixed 7.12.2
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
- CVE-2021-42840Oct 22, 2021affected < 7.11.19fixed 7.11.19
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file
- CVE-2021-41596Oct 4, 2021affected < 7.10.33fixed 7.10.33
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
- CVE-2021-41595Oct 4, 2021affected < 7.10.33fixed 7.10.33
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
- CVE-2021-41869Oct 4, 2021affected >= 7.10.0, < 7.10.33fixed 7.10.33
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
- CVE-2021-25960Sep 29, 2021affected >= 7.10.29, < 7.10.32fixed 7.10.32
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts mo
- CVE-2021-25961Sep 29, 2021affected >= 7.1.7, < 7.10.32fixed 7.10.32
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
- CVE-2021-39267Aug 18, 2021affected < 7.11.19fixed 7.11.19
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaSc
- CVE-2021-39268Aug 18, 2021affected < 7.11.19fixed 7.11.19
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
- CVE-2021-31792Apr 30, 2021affected < 7.11.19fixed 7.11.19
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
Page 3 of 4