Salesagility
Products
1- 55 CVEs
Recent CVEs
55| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-5946 | Hig | 0.51 | 7.8 | 0.02 | Aug 7, 2017 | Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. | ||
| CVE-2015-5948 | Hig | 0.46 | 8.1 | 0.04 | Sep 6, 2017 | Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947. | ||
| CVE-2015-5947 | Hig | 0.46 | 8.1 | 0.03 | Sep 6, 2017 | SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. | ||
| CVE-2019-25664 | Hig | 0.39 | 7.1 | 0.00 | Apr 5, 2026 | SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the… | ||
| CVE-2019-25663 | Hig | 0.39 | 7.1 | 0.00 | Apr 5, 2026 | SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using… | ||
| CVE-2018-15606 | Med | 0.33 | 6.1 | 0.01 | Sep 26, 2018 | An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message. | ||
| CVE-2024-36412 | 0.07 | — | 0.06 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2024-36416 | 0.04 | — | 0.02 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2023-5350 | 0.03 | — | 0.02 | Oct 3, 2023 | SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1. | |||
| CVE-2023-1034 | 0.02 | — | 0.28 | Feb 25, 2023 | Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9. | |||
| CVE-2026-29109 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator… | |||
| CVE-2022-50589 | 0.00 | — | 0.01 | Nov 6, 2025 | SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code. | |||
| CVE-2024-50335 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This… | |||
| CVE-2024-50333 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language… | |||
| CVE-2024-50332 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to… | |||
| CVE-2024-49774 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM… | |||
| CVE-2024-49773 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export`… | |||
| CVE-2024-49772 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database.… | |||
| CVE-2024-45392 | 0.00 | — | 0.00 | Sep 5, 2024 | SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue. | |||
| CVE-2024-36419 | 0.00 | — | 0.00 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue. |
- risk 0.51cvss 7.8epss 0.02
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
- risk 0.46cvss 8.1epss 0.04
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
- risk 0.46cvss 8.1epss 0.03
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
- risk 0.39cvss 7.1epss 0.00
SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the…
- risk 0.39cvss 7.1epss 0.00
SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using…
- risk 0.33cvss 6.1epss 0.01
An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
- CVE-2024-36412Jun 10, 2024risk 0.07cvss —epss 0.06
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2024-36416Jun 10, 2024risk 0.04cvss —epss 0.02
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2023-5350Oct 3, 2023risk 0.03cvss —epss 0.02
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
- CVE-2023-1034Feb 25, 2023risk 0.02cvss —epss 0.28
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
- CVE-2026-29109Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator…
- CVE-2022-50589Nov 6, 2025risk 0.00cvss —epss 0.01
SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code.
- CVE-2024-50335Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This…
- CVE-2024-50333Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language…
- CVE-2024-50332Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to…
- CVE-2024-49774Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM…
- CVE-2024-49773Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export`…
- CVE-2024-49772Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database.…
- CVE-2024-45392Sep 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue.
- CVE-2024-36419Jun 10, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.