VYPR

Vendor CVEs

Suitecrm

All CVEs

96 total · sorted by risk
  • CVE-2024-49774Nov 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM…

  • CVE-2024-49773Nov 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export`…

  • CVE-2024-49772Nov 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database.…

  • CVE-2024-45392Sep 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue.

  • CVE-2024-36419Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.

  • CVE-2024-36418Jun 10, 2024
    risk 0.00cvss epss 0.01

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this…

  • CVE-2024-36417Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this…

  • CVE-2024-36415Jun 10, 2024
    risk 0.00cvss epss 0.01

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2024-36414Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2024-36411Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2024-36410Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2024-36409Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2024-36408Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2024-36407Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the…

  • CVE-2024-36406Jun 10, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2023-47643Nov 21, 2023
    risk 0.00cvss epss 0.03

    SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and…

  • CVE-2022-27474Apr 15, 2022
    risk 0.00cvss epss 0.22

    SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.

  • CVE-2021-45899Jan 28, 2022
    risk 0.00cvss epss 0.02

    SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.

  • CVE-2021-45898Jan 28, 2022
    risk 0.00cvss epss 0.01

    SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.

  • CVE-2021-41597Jan 12, 2022
    risk 0.00cvss epss 0.01

    SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

  • CVE-2021-45903Dec 28, 2021
    risk 0.00cvss epss 0.01

    A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.

  • CVE-2021-41596Oct 4, 2021
    risk 0.00cvss epss 0.02

    SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.

  • CVE-2021-25961Sep 29, 2021
    risk 0.00cvss epss 0.01

    In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

  • CVE-2020-14208Nov 18, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.

  • CVE-2020-15300Nov 18, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.

  • CVE-2019-18785Mar 20, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials.

  • CVE-2019-18782Mar 20, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.

  • CVE-2020-8784Mar 16, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).

  • CVE-2020-8785Mar 16, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).

  • CVE-2020-8786Mar 16, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).

  • CVE-2020-8787Mar 16, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.

  • CVE-2020-8783Mar 16, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).

  • CVE-2020-8804Feb 13, 2020
    risk 0.00cvss epss 0.01

    SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.

  • CVE-2020-8803Feb 13, 2020
    risk 0.00cvss epss 0.03

    SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.

  • CVE-2020-8802Feb 13, 2020
    risk 0.00cvss epss 0.03

    SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.

  • CVE-2020-8801Feb 13, 2020
    risk 0.00cvss epss 0.03

    SuiteCRM through 7.11.11 allows PHAR Deserialization.

  • CVE-2020-8800Feb 13, 2020
    risk 0.00cvss epss 0.03

    SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.

  • CVE-2019-18784Nov 6, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.

  • CVE-2019-14454Oct 2, 2019
    risk 0.00cvss epss 0.02

    SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.

  • CVE-2019-14752Sep 30, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS.

  • CVE-2019-16922Sep 27, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.

  • CVE-2019-12599Jun 7, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.

  • CVE-2019-12598Jun 7, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).

  • CVE-2019-12600Jun 7, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).

  • CVE-2019-12601Jun 7, 2019
    risk 0.00cvss epss 0.01

    SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).

  • CVE-2019-6506Apr 2, 2019
    risk 0.00cvss epss 0.02

    SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection.

Page 2 of 2