Suitecrm
by Suitecrm
Source repositories
CVEs (96)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-36410 | 0.00 | — | 0.00 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2024-36409 | 0.00 | — | 0.00 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2024-36408 | 0.00 | — | 0.00 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2024-36407 | 0.00 | — | 0.00 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the… | |||
| CVE-2024-36406 | 0.00 | — | 0.00 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2023-47643 | 0.00 | — | 0.03 | Nov 21, 2023 | SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and… | |||
| CVE-2022-27474 | 0.00 | — | 0.22 | Apr 15, 2022 | SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field. | |||
| CVE-2021-45899 | 0.00 | — | 0.02 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution. | |||
| CVE-2021-45898 | 0.00 | — | 0.01 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion. | |||
| CVE-2021-41597 | 0.00 | — | 0.01 | Jan 12, 2022 | SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive. | |||
| CVE-2021-45903 | 0.00 | — | 0.01 | Dec 28, 2021 | A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268. | |||
| CVE-2021-41596 | 0.00 | — | 0.02 | Oct 4, 2021 | SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality. | |||
| CVE-2021-25961 | 0.00 | — | 0.01 | Sep 29, 2021 | In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | |||
| CVE-2020-14208 | 0.00 | — | 0.01 | Nov 18, 2020 | SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||
| CVE-2020-15300 | 0.00 | — | 0.01 | Nov 18, 2020 | SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. | |||
| CVE-2019-18785 | 0.00 | — | 0.01 | Mar 20, 2020 | SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. | |||
| CVE-2019-18782 | 0.00 | — | 0.01 | Mar 20, 2020 | SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism. | |||
| CVE-2020-8784 | 0.00 | — | 0.01 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4). | |||
| CVE-2020-8785 | 0.00 | — | 0.01 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4). | |||
| CVE-2020-8786 | 0.00 | — | 0.01 | Mar 16, 2020 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4). |
- CVE-2024-36410Jun 10, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36409Jun 10, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36408Jun 10, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36407Jun 10, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the…
- CVE-2024-36406Jun 10, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2023-47643Nov 21, 2023risk 0.00cvss —epss 0.03
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and…
- CVE-2022-27474Apr 15, 2022risk 0.00cvss —epss 0.22
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
- CVE-2021-45899Jan 28, 2022risk 0.00cvss —epss 0.02
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
- CVE-2021-45898Jan 28, 2022risk 0.00cvss —epss 0.01
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
- CVE-2021-41597Jan 12, 2022risk 0.00cvss —epss 0.01
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
- CVE-2021-45903Dec 28, 2021risk 0.00cvss —epss 0.01
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
- CVE-2021-41596Oct 4, 2021risk 0.00cvss —epss 0.02
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
- CVE-2021-25961Sep 29, 2021risk 0.00cvss —epss 0.01
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
- CVE-2020-14208Nov 18, 2020risk 0.00cvss —epss 0.01
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
- CVE-2020-15300Nov 18, 2020risk 0.00cvss —epss 0.01
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
- CVE-2019-18785Mar 20, 2020risk 0.00cvss —epss 0.01
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials.
- CVE-2019-18782Mar 20, 2020risk 0.00cvss —epss 0.01
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.
- CVE-2020-8784Mar 16, 2020risk 0.00cvss —epss 0.01
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
- CVE-2020-8785Mar 16, 2020risk 0.00cvss —epss 0.01
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
- CVE-2020-8786Mar 16, 2020risk 0.00cvss —epss 0.01
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
Page 4 of 5