Search
Total
18 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-47643 | 1 Salesagility | 1 Suitecrm | 2023-11-29 | N/A | 5.3 MEDIUM |
| SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds. | |||||
| CVE-2023-6124 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 4.3 MEDIUM |
| Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14. | |||||
| CVE-2023-6127 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 5.4 MEDIUM |
| Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-6128 | 1 Salesagility | 1 Suitecrm | 2023-11-17 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2021-45903 | 1 Salesagility | 1 Suitecrm | 2022-01-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268. | |||||
| CVE-2021-41596 | 1 Salesagility | 1 Suitecrm | 2021-10-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality. | |||||
| CVE-2021-41595 | 1 Salesagility | 1 Suitecrm | 2021-10-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality. | |||||
| CVE-2021-39268 | 1 Salesagility | 1 Suitecrm | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed. | |||||
| CVE-2021-39267 | 1 Salesagility | 1 Suitecrm | 2021-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked. | |||||
| CVE-2018-20816 | 1 Salesagility | 1 Suitecrm | 2021-07-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed. | |||||
| CVE-2019-16922 | 1 Salesagility | 1 Suitecrm | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files. | |||||
| CVE-2021-31792 | 1 Salesagility | 1 Suitecrm | 2021-05-03 | 3.5 LOW | 5.4 MEDIUM |
| XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field | |||||
| CVE-2020-15300 | 1 Salesagility | 1 Suitecrm | 2020-12-01 | 5.8 MEDIUM | 6.1 MEDIUM |
| SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. | |||||
| CVE-2020-14208 | 1 Salesagility | 1 Suitecrm | 2020-11-21 | 3.5 LOW | 5.4 MEDIUM |
| SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||||
| CVE-2019-18782 | 1 Salesagility | 1 Suitecrm | 2020-04-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism. | |||||
| CVE-2020-8804 | 1 Salesagility | 1 Suitecrm | 2020-02-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. | |||||
| CVE-2019-14752 | 1 Salesagility | 1 Suitecrm | 2019-10-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS. | |||||
| CVE-2018-15606 | 1 Salesagility | 1 Suitecrm | 2018-11-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message. | |||||