Salesagility Security Vulnerabilities
8.1CVSS
8.3AI Score
0.03EPSS
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
8.1CVSS
8.4AI Score
0.03EPSS
An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
6.1CVSS
5.9AI Score
0.001EPSS
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script...
6.1CVSS
6AI Score
0.001EPSS
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
9.8CVSS
9.9AI Score
0.001EPSS
9.8CVSS
9.7AI Score
0.001EPSS
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
9.8CVSS
9.9AI Score
0.001EPSS
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
9.8CVSS
9.9AI Score
0.001EPSS
9.8CVSS
9.4AI Score
0.005EPSS
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
9.8CVSS
9.4AI Score
0.002EPSS
6.1CVSS
6.3AI Score
0.001EPSS
SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
5.3CVSS
5.3AI Score
0.001EPSS
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
9.8CVSS
9.6AI Score
0.002EPSS
SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection.
9.8CVSS
9.7AI Score
0.004EPSS
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
5.4CVSS
5AI Score
0.001EPSS
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
6.1CVSS
6.1AI Score
0.001EPSS
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
7.8CVSS
7.7AI Score
0.001EPSS
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
8.8CVSS
8.8AI Score
0.077EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
9.8CVSS
9.8AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
9.8CVSS
9.8AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
9.8CVSS
9.8AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
9.8CVSS
9.8AI Score
0.002EPSS
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
7.5CVSS
7.5AI Score
0.001EPSS
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
8.8CVSS
8.7AI Score
0.002EPSS
7.2CVSS
6.9AI Score
0.002EPSS
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
9.8CVSS
9.5AI Score
0.007EPSS
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
9.8CVSS
9.4AI Score
0.032EPSS
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
6.5CVSS
7AI Score
0.004EPSS
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the ...
8CVSS
7.4AI Score
0.002EPSS
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
8CVSS
7.8AI Score
0.002EPSS
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
5.4CVSS
5.1AI Score
0.001EPSS
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (suc...
6.1CVSS
6AI Score
0.002EPSS
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
6.1CVSS
5.8AI Score
0.001EPSS
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
5.3CVSS
5.2AI Score
0.001EPSS
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
8.8CVSS
8.8AI Score
0.007EPSS
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
8.8CVSS
8.7AI Score
0.002EPSS
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were bl...
8.8CVSS
9.1AI Score
0.11EPSS
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
8.8CVSS
9AI Score
0.001EPSS
8.8CVSS
9AI Score
0.007EPSS
9.8CVSS
9.1AI Score
0.002EPSS
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
9.8CVSS
9.8AI Score
0.005EPSS
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
6.1CVSS
5.8AI Score
0.003EPSS
6.5CVSS
6.9AI Score
0.001EPSS
4.3CVSS
4.6AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing...
8.8CVSS
8.7AI Score
0.003EPSS
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
7.2CVSS
7.3AI Score
0.003EPSS
Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
8.8CVSS
6.3AI Score
0.001EPSS