Salesagility: >> Suitecrm >> 7.10.34 Security Vulnerabilities
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-01-28
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.032
Published
2022-01-28
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-01-12
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-12-28
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
CVSS Score
8.8
EPSS Score
0.199
Published
2021-12-19
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
CVSS Score
8.8
EPSS Score
0.478
Published
2021-10-22
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
CVSS Score
6.1
EPSS Score
0.007
Published
2021-08-18
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
CVSS Score
6.1
EPSS Score
0.004
Published
2021-08-18
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
CVSS Score
5.4
EPSS Score
0.004
Published
2021-04-30
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-18