Filtered by vendor Salesagility
Subscribe
Search
Total
17 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6131 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-6130 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-6125 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2021-41869 | 1 Salesagility | 1 Suitecrm | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation. | |||||
| CVE-2021-45897 | 1 Salesagility | 1 Suitecrm | 2022-02-10 | 6.5 MEDIUM | 8.8 HIGH |
| SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution. | |||||
| CVE-2021-41597 | 1 Salesagility | 1 Suitecrm | 2022-01-19 | 6.8 MEDIUM | 8.8 HIGH |
| SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive. | |||||
| CVE-2021-45041 | 1 Salesagility | 1 Suitecrm | 2022-01-04 | 6.5 MEDIUM | 8.8 HIGH |
| SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. | |||||
| CVE-2020-28328 | 1 Salesagility | 1 Suitecrm | 2021-12-02 | 9.0 HIGH | 8.8 HIGH |
| SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. | |||||
| CVE-2021-42840 | 1 Salesagility | 1 Suitecrm | 2021-11-30 | 9.0 HIGH | 8.8 HIGH |
| SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328. | |||||
| CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | |||||
| CVE-2021-25960 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure. | |||||
| CVE-2020-8801 | 1 Salesagility | 1 Suitecrm | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| SuiteCRM through 7.11.11 allows PHAR Deserialization. | |||||
| CVE-2020-15301 | 1 Salesagility | 1 Suitecrm | 2020-12-02 | 6.8 MEDIUM | 7.8 HIGH |
| SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation. | |||||
| CVE-2015-5947 | 1 Salesagility | 1 Suitecrm | 2020-06-12 | 6.8 MEDIUM | 8.1 HIGH |
| SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. | |||||
| CVE-2020-8787 | 1 Salesagility | 1 Suitecrm | 2020-03-18 | 5.0 MEDIUM | 7.5 HIGH |
| SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted. | |||||
| CVE-2020-8800 | 1 Salesagility | 1 Suitecrm | 2020-02-19 | 6.5 MEDIUM | 8.8 HIGH |
| SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection. | |||||
| CVE-2015-5948 | 1 Salesagility | 1 Suitecrm | 2017-09-09 | 9.3 HIGH | 8.1 HIGH |
| Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947. | |||||