Shodan
Vulnerabilities
Vulnerable Software
Salesagility:  >> Suitecrm  >> 7.10.35  Security Vulnerabilities
CVE-2023-1034
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
CVSS Score
4.3
EPSS Score
0.014
Published
2023-02-25
CVE-2022-23940
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.
CVSS Score
8.8
EPSS Score
0.359
Published
2022-03-10
CVE-2022-0755
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
CVSS Score
7.1
EPSS Score
0.002
Published
2022-03-07
CVE-2022-0756
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-03-07
CVE-2022-0754
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
CVSS Score
7.1
EPSS Score
0.002
Published
2022-03-07
CVE-2021-45897
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
CVSS Score
8.8
EPSS Score
0.338
Published
2022-01-28
CVE-2021-45898
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-01-28
CVE-2021-45899
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.032
Published
2022-01-28
CVE-2021-45041
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
CVSS Score
8.8
EPSS Score
0.199
Published
2021-12-19
CVE-2021-42840
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
CVSS Score
8.8
EPSS Score
0.478
Published
2021-10-22


Products
Pricing
Contact Us

Shodan ® - All rights reserved