Vulnerabilities (CVE)

Filtered by vendor Salesagility Subscribe
Filtered by product Suitecrm
Total 84 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41597 1 Salesagility 1 Suitecrm 2024-11-21 6.8 MEDIUM 8.8 HIGH
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVE-2021-41596 1 Salesagility 1 Suitecrm 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
CVE-2021-41595 1 Salesagility 1 Suitecrm 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
CVE-2021-39268 1 Salesagility 1 Suitecrm 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
CVE-2021-39267 1 Salesagility 1 Suitecrm 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
CVE-2021-31792 1 Salesagility 1 Suitecrm 2024-11-21 3.5 LOW 5.4 MEDIUM
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
CVE-2021-25961 1 Salesagility 1 Suitecrm 2024-11-21 6.0 MEDIUM 8.0 HIGH
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
CVE-2021-25960 1 Salesagility 1 Suitecrm 2024-11-21 6.0 MEDIUM 8.0 HIGH
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
CVE-2020-8804 1 Salesagility 1 Suitecrm 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
CVE-2020-8803 1 Salesagility 1 Suitecrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
CVE-2020-8802 1 Salesagility 1 Suitecrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
CVE-2020-8801 1 Salesagility 1 Suitecrm 2024-11-21 6.5 MEDIUM 7.2 HIGH
SuiteCRM through 7.11.11 allows PHAR Deserialization.
CVE-2020-8800 1 Salesagility 1 Suitecrm 2024-11-21 6.5 MEDIUM 8.8 HIGH
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
CVE-2020-8787 1 Salesagility 1 Suitecrm 2024-11-21 5.0 MEDIUM 7.5 HIGH
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
CVE-2020-8786 1 Salesagility 1 Suitecrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
CVE-2020-8785 1 Salesagility 1 Suitecrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
CVE-2020-8784 1 Salesagility 1 Suitecrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
CVE-2020-8783 1 Salesagility 1 Suitecrm 2024-11-21 7.5 HIGH 9.8 CRITICAL
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
CVE-2020-28328 1 Salesagility 1 Suitecrm 2024-11-21 9.0 HIGH 8.8 HIGH
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
CVE-2020-15301 1 Salesagility 1 Suitecrm 2024-11-21 6.8 MEDIUM 7.8 HIGH
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.