Salesagility: >> Suitecrm >> 7.8.7 Security Vulnerabilities
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
CVSS Score
7.8
EPSS Score
0.003
Published
2020-11-18
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
CVSS Score
8.8
EPSS Score
0.527
Published
2020-11-06
SuiteCRM through 7.11.11 allows PHAR Deserialization.
CVSS Score
7.2
EPSS Score
0.005
Published
2020-02-13
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-02-13
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
CVSS Score
9.8
EPSS Score
0.01
Published
2020-02-13
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-02-13
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-02-13
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
CVSS Score
9.8
EPSS Score
0.004
Published
2019-06-07
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
CVSS Score
9.8
EPSS Score
0.004
Published
2019-06-07
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
CVSS Score
9.8
EPSS Score
0.004
Published
2019-06-07