Salesagility: >> Suitecrm >> 7.0.2 Security Vulnerabilities
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
CVSS Score
8.8
EPSS Score
0.527
Published
2020-11-06
SuiteCRM through 7.11.11 allows PHAR Deserialization.
CVSS Score
7.2
EPSS Score
0.005
Published
2020-02-13
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-02-13
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
CVSS Score
9.8
EPSS Score
0.01
Published
2020-02-13
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-02-13
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-02-13
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-04-05
An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-09-26
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
CVSS Score
8.1
EPSS Score
0.029
Published
2017-09-06
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
CVSS Score
8.1
EPSS Score
0.022
Published
2017-09-06