Shodan
Vulnerabilities
Vulnerable Software
Salesagility:  >> Suitecrm  Security Vulnerabilities
CVE-2022-0754
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
CVSS Score
7.1
EPSS Score
0.008
Published
2022-03-07
CVE-2021-45897
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
CVSS Score
8.8
EPSS Score
0.046
Published
2022-01-28
CVE-2021-45898
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
CVSS Score
9.8
EPSS Score
0.011
Published
2022-01-28
CVE-2021-45899
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
CVSS Score
9.8
EPSS Score
0.022
Published
2022-01-28
CVE-2021-41597
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVSS Score
8.8
EPSS Score
0.01
Published
2022-01-12
CVE-2021-45903
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
CVSS Score
6.1
EPSS Score
0.011
Published
2021-12-28
CVE-2021-45041
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
CVSS Score
8.8
EPSS Score
0.022
Published
2021-12-19
CVE-2021-42840
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
CVSS Score
8.8
EPSS Score
0.589
Published
2021-10-22
CVE-2021-41595
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
CVSS Score
5.3
EPSS Score
0.018
Published
2021-10-04
CVE-2021-41596
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
CVSS Score
5.3
EPSS Score
0.018
Published
2021-10-04


Products
Pricing
Contact Us

Shodan ® - All rights reserved