Bitnami package
suitecrm
pkg:bitnami/suitecrm
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-14208 | — | < 7.11.14 | 7.11.14 | Nov 18, 2020 | SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML. | ||
| CVE-2020-15300 | — | < 7.11.14 | 7.11.14 | Nov 18, 2020 | SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. | ||
| CVE-2020-15301 | — | < 7.11.14 | 7.11.14 | Nov 18, 2020 | SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation. | ||
| CVE-2020-28328 | — | < 7.11.17 | 7.11.17 | Nov 6, 2020 | SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. | ||
| CVE-2020-8784 | — | >= 7.10.0, < 7.10.23 | 7.10.23 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4). | ||
| CVE-2020-8785 | — | >= 7.10.0, < 7.10.23 | 7.10.23 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4). | ||
| CVE-2020-8786 | — | >= 7.10.0, < 7.10.23 | 7.10.23 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4). | ||
| CVE-2020-8787 | — | >= 7.10.0, < 7.10.23 | 7.10.23 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted. | ||
| CVE-2020-8783 | — | >= 7.10.0, < 7.10.23 | 7.10.23 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4). | ||
| CVE-2020-8804 | — | < 7.11.11 | 7.11.11 | Feb 13, 2020 | SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. | ||
| CVE-2020-8803 | — | < 7.11.12 | 7.11.12 | Feb 13, 2020 | SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list. | ||
| CVE-2020-8802 | — | < 7.11.12 | 7.11.12 | Feb 13, 2020 | SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation. | ||
| CVE-2020-8801 | — | < 7.11.12 | 7.11.12 | Feb 13, 2020 | SuiteCRM through 7.11.11 allows PHAR Deserialization. | ||
| CVE-2020-8800 | — | < 7.11.12 | 7.11.12 | Feb 13, 2020 | SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection. |
- CVE-2020-14208Nov 18, 2020affected < 7.11.14fixed 7.11.14
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
- CVE-2020-15300Nov 18, 2020affected < 7.11.14fixed 7.11.14
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
- CVE-2020-15301Nov 18, 2020affected < 7.11.14fixed 7.11.14
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
- CVE-2020-28328Nov 6, 2020affected < 7.11.17fixed 7.11.17
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
- CVE-2020-8784Mar 16, 2020affected >= 7.10.0, < 7.10.23fixed 7.10.23
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
- CVE-2020-8785Mar 16, 2020affected >= 7.10.0, < 7.10.23fixed 7.10.23
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
- CVE-2020-8786Mar 16, 2020affected >= 7.10.0, < 7.10.23fixed 7.10.23
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
- CVE-2020-8787Mar 16, 2020affected >= 7.10.0, < 7.10.23fixed 7.10.23
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
- CVE-2020-8783Mar 16, 2020affected >= 7.10.0, < 7.10.23fixed 7.10.23
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
- CVE-2020-8804Feb 13, 2020affected < 7.11.11fixed 7.11.11
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
- CVE-2020-8803Feb 13, 2020affected < 7.11.12fixed 7.11.12
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
- CVE-2020-8802Feb 13, 2020affected < 7.11.12fixed 7.11.12
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
- CVE-2020-8801Feb 13, 2020affected < 7.11.12fixed 7.11.12
SuiteCRM through 7.11.11 allows PHAR Deserialization.
- CVE-2020-8800Feb 13, 2020affected < 7.11.12fixed 7.11.12
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
Page 4 of 4