All the vulnerabilites related to salesagility - SuiteCRM
cve-2023-5353
Vulnerability from cvelistv5
Published
2023-10-03 12:15
Modified
2024-09-12 14:36
Severity ?
EPSS score ?
Summary
Improper Access Control in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:43.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/3b3bb4f1-1aea-4134-99eb-157f245fa752"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/c43eaa311fb010b7928983e6afc6f9075c3996aa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:49:35.778958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:36:28.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-03T12:15:20.097Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/3b3bb4f1-1aea-4134-99eb-157f245fa752"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/c43eaa311fb010b7928983e6afc6f9075c3996aa"
}
],
"source": {
"advisory": "3b3bb4f1-1aea-4134-99eb-157f245fa752",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5353",
"datePublished": "2023-10-03T12:15:20.097Z",
"dateReserved": "2023-10-03T12:15:08.429Z",
"dateUpdated": "2024-09-12T14:36:28.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-25961
Vulnerability from cvelistv5
Published
2021-09-29 13:50
Modified
2024-09-17 02:07
Severity ?
EPSS score ?
Summary
SuiteCRM - Account Takeover in Password Reset Functionality
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"changes": [
{
"at": "v7.10.32",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "v7.1.7",
"versionType": "custom"
},
{
"lessThan": "v7.11.21",
"status": "affected",
"version": "v7.11",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In \u201cSuiteCRM\u201d application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T13:50:10",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to v7.10.32 or v7.11.21"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM - Account Takeover in Password Reset Functionality",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-21T10:09:00.000Z",
"ID": "CVE-2021-25961",
"STATE": "PUBLIC",
"TITLE": "SuiteCRM - Account Takeover in Password Reset Functionality"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SuiteCRM",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "v7.1.7"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "v7.10.32"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "v7.11",
"version_value": "v7.11.21"
}
]
}
}
]
},
"vendor_name": "salesagility"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In \u201cSuiteCRM\u201d application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25961"
},
{
"name": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"name": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v7.10.32 or v7.11.21"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25961",
"datePublished": "2021-09-29T13:50:10.158439Z",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-09-17T02:07:00.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-15606
Vulnerability from cvelistv5
Published
2018-09-26 17:00
Modified
2024-08-05 10:01
Severity ?
EPSS score ?
Summary
An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/#anchor-7.10.8 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:53.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-26T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-15606",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.8",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-15606",
"datePublished": "2018-09-26T17:00:00",
"dateReserved": "2018-08-21T00:00:00",
"dateUpdated": "2024-08-05T10:01:53.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-18782
Vulnerability from cvelistv5
Published
2020-03-20 00:30
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:38.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T00:30:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18782",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18782",
"datePublished": "2020-03-20T00:30:55",
"dateReserved": "2019-11-06T00:00:00",
"dateUpdated": "2024-08-05T02:02:38.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41869
Vulnerability from cvelistv5
Published
2021-10-04 06:13
Modified
2024-08-04 03:22
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22 | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 | x_refsource_MISC | |
| https://github.com/ach-ing/cves/blob/main/CVE-2021-41869.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41869.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T17:43:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41869.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41869",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"name": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41869.md",
"refsource": "MISC",
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41869.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41869",
"datePublished": "2021-10-04T06:13:28",
"dateReserved": "2021-10-04T00:00:00",
"dateUpdated": "2024-08-04T03:22:25.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-18784
Vulnerability from cvelistv5
Published
2019-11-06 02:13
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.10.x/ | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.11.x/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:38.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T02:13:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18784",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18784",
"datePublished": "2019-11-06T02:13:46",
"dateReserved": "2019-11-06T00:00:00",
"dateUpdated": "2024-08-05T02:02:38.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14208
Vulnerability from cvelistv5
Published
2020-11-18 21:08
Modified
2024-08-04 12:39
Severity ?
EPSS score ?
Summary
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-11-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-18T21:08:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14208",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14208",
"datePublished": "2020-11-18T21:08:23",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-08-04T12:39:36.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36415
Vulnerability from cvelistv5
Published
2024-06-10 19:49
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T19:08:56.644547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T19:09:00.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T19:49:54.382Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-c82f-58jv-jfrh"
}
],
"source": {
"advisory": "GHSA-c82f-58jv-jfrh",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36415",
"datePublished": "2024-06-10T19:49:54.382Z",
"dateReserved": "2024-05-27T15:59:57.033Z",
"dateUpdated": "2024-08-02T03:37:05.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15301
Vulnerability from cvelistv5
Published
2020-11-18 21:00
Modified
2024-08-04 13:15
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:19.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-11-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-18T21:00:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15301",
"datePublished": "2020-11-18T21:00:24",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:15:19.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8785
Vulnerability from cvelistv5
Published
2020-03-16 21:35
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-16T21:35:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8785",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8785",
"datePublished": "2020-03-16T21:35:24",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36406
Vulnerability from cvelistv5
Published
2024-06-10 15:06
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM vulnerable to open redirects
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-hcw8-p37h-8hrv | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T16:54:20.051915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:54:40.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-hcw8-p37h-8hrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-hcw8-p37h-8hrv"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T15:06:22.355Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-hcw8-p37h-8hrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-hcw8-p37h-8hrv"
}
],
"source": {
"advisory": "GHSA-hcw8-p37h-8hrv",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM vulnerable to open redirects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36406",
"datePublished": "2024-06-10T15:06:22.355Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:05.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8800
Vulnerability from cvelistv5
Published
2020-02-13 15:11
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| https://seclists.org/fulldisclosure/2020/Feb/3 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/156321/SuiteCRM-7.11.11-Second-Order-PHP-Object-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2020/Feb/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156321/SuiteCRM-7.11.11-Second-Order-PHP-Object-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T17:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/fulldisclosure/2020/Feb/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156321/SuiteCRM-7.11.11-Second-Order-PHP-Object-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8800",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "https://seclists.org/fulldisclosure/2020/Feb/3",
"refsource": "MISC",
"url": "https://seclists.org/fulldisclosure/2020/Feb/3"
},
{
"name": "http://packetstormsecurity.com/files/156321/SuiteCRM-7.11.11-Second-Order-PHP-Object-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156321/SuiteCRM-7.11.11-Second-Order-PHP-Object-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8800",
"datePublished": "2020-02-13T15:11:09",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36411
Vulnerability from cvelistv5
Published
2024-06-10 19:33
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated SQL Injection in EmailUIAjax displayView controller
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9rvr-mcrf-p4p7 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThanOrEqual": "7.14.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T14:38:23.114652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T14:42:06.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9rvr-mcrf-p4p7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9rvr-mcrf-p4p7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T19:33:49.887Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9rvr-mcrf-p4p7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9rvr-mcrf-p4p7"
}
],
"source": {
"advisory": "GHSA-9rvr-mcrf-p4p7",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated SQL Injection in EmailUIAjax displayView controller"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36411",
"datePublished": "2024-06-10T19:33:49.887Z",
"dateReserved": "2024-05-27T15:59:57.032Z",
"dateUpdated": "2024-08-02T03:37:05.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36412
Vulnerability from cvelistv5
Published
2024-06-10 19:35
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM unauthenticated SQL Injection
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.6.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T20:21:21.367935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T20:21:37.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T19:35:43.980Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-xjx2-38hv-5hh8"
}
],
"source": {
"advisory": "GHSA-xjx2-38hv-5hh8",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM unauthenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36412",
"datePublished": "2024-06-10T19:35:43.980Z",
"dateReserved": "2024-05-27T15:59:57.032Z",
"dateUpdated": "2024-08-02T03:37:05.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6127
Vulnerability from cvelistv5
Published
2023-11-14 16:01
Modified
2024-08-30 19:22
Severity ?
EPSS score ?
Summary
Unrestricted Upload of File with Dangerous Type in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/bf10c72b-5d2e-4c9a-9bd6-d77bdf31027d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T19:21:52.719910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T19:22:19.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 7.12.14, 8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T16:01:57.316Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/bf10c72b-5d2e-4c9a-9bd6-d77bdf31027d"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "bf10c72b-5d2e-4c9a-9bd6-d77bdf31027d",
"discovery": "EXTERNAL"
},
"title": "Unrestricted Upload of File with Dangerous Type in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6127",
"datePublished": "2023-11-14T16:01:57.316Z",
"dateReserved": "2023-11-14T16:01:38.918Z",
"dateUpdated": "2024-08-30T19:22:19.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6128
Vulnerability from cvelistv5
Published
2023-11-14 16:11
Modified
2024-08-02 08:21
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - Reflected in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/51406547-1961-45f2-a416-7f14fd775d2d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 7.12.14, 8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T16:11:04.630Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/51406547-1961-45f2-a416-7f14fd775d2d"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "51406547-1961-45f2-a416-7f14fd775d2d",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6128",
"datePublished": "2023-11-14T16:11:04.630Z",
"dateReserved": "2023-11-14T16:10:47.544Z",
"dateUpdated": "2024-08-02T08:21:17.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-50332
Vulnerability from cvelistv5
Published
2024-11-05 18:40
Modified
2024-11-05 18:58
Severity ?
EPSS score ?
Summary
Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:57:39.892494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:58:13.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:40:14.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p"
}
],
"source": {
"advisory": "GHSA-53xh-mjmq-j35p",
"discovery": "UNKNOWN"
},
"title": "Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-50332",
"datePublished": "2024-11-05T18:40:14.977Z",
"dateReserved": "2024-10-22T17:54:40.953Z",
"dateUpdated": "2024-11-05T18:58:13.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12600
Vulnerability from cvelistv5
Published
2019-06-07 17:35
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:24:39.166Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-07T17:35:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12600",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12600",
"datePublished": "2019-06-07T17:35:06",
"dateReserved": "2019-06-03T00:00:00",
"dateUpdated": "2024-08-04T23:24:39.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-42840
Vulnerability from cvelistv5
Published
2021-10-22 18:20
Modified
2024-08-04 03:38
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 | x_refsource_MISC | |
| https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb | x_refsource_MISC | |
| https://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/ | x_refsource_MISC | |
| https://theyhack.me/SuiteCRM-RCE-2/ | x_refsource_MISC | |
| http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:50.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://theyhack.me/SuiteCRM-RCE-2/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T16:06:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://theyhack.me/SuiteCRM-RCE-2/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"name": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb"
},
{
"name": "https://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/",
"refsource": "MISC",
"url": "https://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/"
},
{
"name": "https://theyhack.me/SuiteCRM-RCE-2/",
"refsource": "MISC",
"url": "https://theyhack.me/SuiteCRM-RCE-2/"
},
{
"name": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42840",
"datePublished": "2021-10-22T18:20:23",
"dateReserved": "2021-10-22T00:00:00",
"dateUpdated": "2024-08-04T03:38:50.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41595
Vulnerability from cvelistv5
Published
2021-10-04 16:46
Modified
2024-08-04 03:15
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22 | x_refsource_CONFIRM | |
| https://github.com/ach-ing/cves/blob/main/CVE-2021-41595.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:29.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41595.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T16:46:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41595.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41595",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"name": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41595.md",
"refsource": "MISC",
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41595.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41595",
"datePublished": "2021-10-04T16:46:08",
"dateReserved": "2021-09-24T00:00:00",
"dateUpdated": "2024-08-04T03:15:29.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12599
Vulnerability from cvelistv5
Published
2019-06-07 17:38
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:24:38.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-07T17:38:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12599",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12599",
"datePublished": "2019-06-07T17:38:30",
"dateReserved": "2019-06-03T00:00:00",
"dateUpdated": "2024-08-04T23:24:38.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27474
Vulnerability from cvelistv5
Published
2022-04-15 12:55
Modified
2024-08-03 05:25
Severity ?
EPSS score ?
Summary
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Mount4in/Mount4in.github.io/blob/master/suitecrm.docx | x_refsource_MISC | |
| https://github.com/Mount4in/Mount4in.github.io/blob/master/poc.py | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:25:32.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mount4in/Mount4in.github.io/blob/master/suitecrm.docx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mount4in/Mount4in.github.io/blob/master/poc.py"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T12:55:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mount4in/Mount4in.github.io/blob/master/suitecrm.docx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mount4in/Mount4in.github.io/blob/master/poc.py"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27474",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Mount4in/Mount4in.github.io/blob/master/suitecrm.docx",
"refsource": "MISC",
"url": "https://github.com/Mount4in/Mount4in.github.io/blob/master/suitecrm.docx"
},
{
"name": "https://github.com/Mount4in/Mount4in.github.io/blob/master/poc.py",
"refsource": "MISC",
"url": "https://github.com/Mount4in/Mount4in.github.io/blob/master/poc.py"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27474",
"datePublished": "2022-04-15T12:55:32",
"dateReserved": "2022-03-21T00:00:00",
"dateUpdated": "2024-08-03T05:25:32.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41597
Vulnerability from cvelistv5
Published
2022-01-12 19:17
Modified
2024-08-04 03:15
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35 | x_refsource_MISC | |
| https://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:29.074Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T19:17:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41597",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35"
},
{
"name": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md",
"refsource": "MISC",
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41597.md"
},
{
"name": "https://docs.suitecrm.com/admin/releases/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41597",
"datePublished": "2022-01-12T19:17:05",
"dateReserved": "2021-09-24T00:00:00",
"dateUpdated": "2024-08-04T03:15:29.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28328
Vulnerability from cvelistv5
Published
2020-11-06 18:18
Modified
2024-08-04 16:33
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:59.067Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mcorybillington/SuiteCRM-RCE"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T16:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mcorybillington/SuiteCRM-RCE"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28328",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released/",
"refsource": "MISC",
"url": "https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released/"
},
{
"name": "https://github.com/mcorybillington/SuiteCRM-RCE",
"refsource": "MISC",
"url": "https://github.com/mcorybillington/SuiteCRM-RCE"
},
{
"name": "http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28328",
"datePublished": "2020-11-06T18:18:05",
"dateReserved": "2020-11-06T00:00:00",
"dateUpdated": "2024-08-04T16:33:59.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45903
Vulnerability from cvelistv5
Published
2021-12-28 13:15
Modified
2024-08-04 04:54
Severity ?
EPSS score ?
Summary
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35 | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_2 | x_refsource_MISC | |
| https://github.com/ach-ing/cves/blob/main/CVE-2021-45903.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:30.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-45903.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-28T13:15:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-45903.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45903",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_2",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_2"
},
{
"name": "https://github.com/ach-ing/cves/blob/main/CVE-2021-45903.md",
"refsource": "MISC",
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-45903.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45903",
"datePublished": "2021-12-28T13:15:39",
"dateReserved": "2021-12-27T00:00:00",
"dateUpdated": "2024-08-04T04:54:30.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31792
Vulnerability from cvelistv5
Published
2021-04-30 21:23
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 | x_refsource_MISC | |
| https://chris-forbes.github.io/CVE-2021-31792 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://chris-forbes.github.io/CVE-2021-31792"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-30T21:23:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://chris-forbes.github.io/CVE-2021-31792"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-31792",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"name": "https://chris-forbes.github.io/CVE-2021-31792",
"refsource": "MISC",
"url": "https://chris-forbes.github.io/CVE-2021-31792"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-31792",
"datePublished": "2021-04-30T21:23:03",
"dateReserved": "2021-04-24T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45899
Vulnerability from cvelistv5
Published
2022-01-28 16:25
Modified
2024-08-04 04:54
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/8.x/admin/releases/8.0/ | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.12.x/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:30.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-28T16:25:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45899",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/8.x/admin/releases/8.0/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.12.x/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45899",
"datePublished": "2022-01-28T16:25:21",
"dateReserved": "2021-12-27T00:00:00",
"dateUpdated": "2024-08-04T04:54:30.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-6506
Vulnerability from cvelistv5
Published
2019-04-02 21:14
Modified
2024-08-04 20:23
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/#anchor-7.10.11 | x_refsource_MISC | |
| https://suitecrm.com/suitecrm-7-11-3-lts-security-maintenance-patch-released/ | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_3 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_15 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_28 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:23:21.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://suitecrm.com/suitecrm-7-11-3-lts-security-maintenance-patch-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_15"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-03-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-17T20:11:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://suitecrm.com/suitecrm-7-11-3-lts-security-maintenance-patch-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_15"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_28"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-6506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.11",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/#anchor-7.10.11"
},
{
"name": "https://suitecrm.com/suitecrm-7-11-3-lts-security-maintenance-patch-released/",
"refsource": "CONFIRM",
"url": "https://suitecrm.com/suitecrm-7-11-3-lts-security-maintenance-patch-released/"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_3",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_3"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_15",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_15"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_28",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_28"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-6506",
"datePublished": "2019-04-02T21:14:57",
"dateReserved": "2019-01-22T00:00:00",
"dateUpdated": "2024-08-04T20:23:21.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6125
Vulnerability from cvelistv5
Published
2023-11-14 15:30
Modified
2024-08-02 08:21
Severity ?
EPSS score ?
Summary
Code Injection in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.259Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/a9462f1e-9746-4380-8228-533ff2f64691"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 7.12.14, 8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T15:30:05.149Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/a9462f1e-9746-4380-8228-533ff2f64691"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "a9462f1e-9746-4380-8228-533ff2f64691",
"discovery": "EXTERNAL"
},
"title": "Code Injection in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6125",
"datePublished": "2023-11-14T15:30:05.149Z",
"dateReserved": "2023-11-14T15:29:47.058Z",
"dateUpdated": "2024-08-02T08:21:17.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8787
Vulnerability from cvelistv5
Published
2020-03-16 21:34
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.200Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-16T21:34:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8787",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8787",
"datePublished": "2020-03-16T21:34:43",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39268
Vulnerability from cvelistv5
Published
2021-08-18 00:29
Modified
2024-08-04 02:06
Severity ?
EPSS score ?
Summary
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 | x_refsource_MISC | |
| https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:41.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-18T00:29:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-39268",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"name": "https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/",
"refsource": "MISC",
"url": "https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-39268",
"datePublished": "2021-08-18T00:29:21",
"dateReserved": "2021-08-18T00:00:00",
"dateUpdated": "2024-08-04T02:06:41.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45392
Vulnerability from cvelistv5
Published
2024-09-05 16:34
Modified
2024-09-05 17:43
Severity ?
EPSS score ?
Summary
SuiteCRM has wrong deletion permission checks on API delete call
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8qfx-h7pm-2587 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_5 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45392",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T17:43:12.735791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T17:43:20.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.5"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T16:34:14.271Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8qfx-h7pm-2587",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8qfx-h7pm-2587"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_5",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_5"
}
],
"source": {
"advisory": "GHSA-8qfx-h7pm-2587",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has wrong deletion permission checks on API delete call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45392",
"datePublished": "2024-09-05T16:34:14.271Z",
"dateReserved": "2024-08-28T20:21:32.802Z",
"dateUpdated": "2024-09-05T17:43:20.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-25960
Vulnerability from cvelistv5
Published
2021-09-29 13:55
Modified
2024-09-16 17:48
Severity ?
EPSS score ?
Summary
SuiteCRM - CSV Injection in Accounts Module
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"lessThan": "v7.10*",
"status": "affected",
"version": "v7.10.29",
"versionType": "custom"
},
{
"lessThan": "v7.11*",
"status": "affected",
"version": "v7.11.18",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In \u201cSuiteCRM\u201d application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by \u201cCSV Injection\u201d vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T13:55:15",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to v7.10.32 or v7.11.21"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM - CSV Injection in Accounts Module",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-21T09:43:00.000Z",
"ID": "CVE-2021-25960",
"STATE": "PUBLIC",
"TITLE": "SuiteCRM - CSV Injection in Accounts Module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SuiteCRM",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "v7.10",
"version_value": "v7.10.29"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "v7.10",
"version_value": "v7.10.31 +1"
},
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "v7.11",
"version_value": "v7.11.18"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "v7.11",
"version_value": "v7.11.19 +1"
}
]
}
}
]
},
"vendor_name": "salesagility"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In \u201cSuiteCRM\u201d application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by \u201cCSV Injection\u201d vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1236"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960"
},
{
"name": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"name": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v7.10.32 or v7.11.21"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25960",
"datePublished": "2021-09-29T13:55:15.155975Z",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-09-16T17:48:21.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0755
Vulnerability from cvelistv5
Published
2022-03-07 00:00
Modified
2024-08-02 23:40
Severity ?
EPSS score ?
Summary
Missing Authorization in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
},
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/cc767dbc-c676-44c1-a9d1-cd17ae77ee7e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.12.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
},
{
"url": "https://huntr.dev/bounties/cc767dbc-c676-44c1-a9d1-cd17ae77ee7e"
}
],
"source": {
"advisory": "cc767dbc-c676-44c1-a9d1-cd17ae77ee7e",
"discovery": "EXTERNAL"
},
"title": "Missing Authorization in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0755",
"datePublished": "2022-03-07T00:00:00",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6126
Vulnerability from cvelistv5
Published
2023-11-14 15:51
Modified
2024-08-02 08:21
Severity ?
EPSS score ?
Summary
Code Injection in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/e22a9be3-3273-42cb-bfcc-c67a1025684e"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 7.12.14, 8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T15:51:44.501Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/e22a9be3-3273-42cb-bfcc-c67a1025684e"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "e22a9be3-3273-42cb-bfcc-c67a1025684e",
"discovery": "EXTERNAL"
},
"title": "Code Injection in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6126",
"datePublished": "2023-11-14T15:51:44.501Z",
"dateReserved": "2023-11-14T15:51:26.576Z",
"dateUpdated": "2024-08-02T08:21:17.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6388
Vulnerability from cvelistv5
Published
2024-02-07 02:47
Modified
2024-08-02 08:28
Severity ?
EPSS score ?
Summary
Suite CRM v7.14.2 - SSRF
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T16:21:56.230019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:39.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/leon/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Suite CRM",
"vendor": "Suite CRM",
"versions": [
{
"status": "affected",
"version": "7.14.2"
}
]
}
],
"datePublic": "2024-02-07T02:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eSuite CRM version 7.14.2 allows making arbitrary HTTP requests through\u003c/div\u003e\u003cdiv\u003ethe vulnerable server. This is possible because the application is vulnerable\u003c/div\u003e\u003cdiv\u003eto SSRF.\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Suite CRM version 7.14.2 allows making arbitrary HTTP requests through\n\nthe vulnerable server. This is possible because the application is vulnerable\n\nto SSRF.\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-300",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-300 Port Scanning"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-07T02:47:59.391Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/leon/"
},
{
"url": "https://github.com/salesagility/SuiteCRM/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Suite CRM v7.14.2 - SSRF",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-6388",
"datePublished": "2024-02-07T02:47:59.391Z",
"dateReserved": "2023-11-29T18:12:28.111Z",
"dateUpdated": "2024-08-02T08:28:21.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8802
Vulnerability from cvelistv5
Published
2020-02-13 15:13
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Feb/5 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T17:06:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8802",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "http://seclists.org/fulldisclosure/2020/Feb/5",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Feb/5"
},
{
"name": "http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8802",
"datePublished": "2020-02-13T15:13:31",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8784
Vulnerability from cvelistv5
Published
2020-03-16 21:35
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-16T21:35:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8784",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8784",
"datePublished": "2020-03-16T21:35:31",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12598
Vulnerability from cvelistv5
Published
2019-06-07 17:36
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:24:39.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-07T17:36:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12598",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12598",
"datePublished": "2019-06-07T17:36:56",
"dateReserved": "2019-06-03T00:00:00",
"dateUpdated": "2024-08-04T23:24:39.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45041
Vulnerability from cvelistv5
Published
2021-12-19 08:34
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.12.x/ | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/8.x/admin/releases/8.0/ | x_refsource_CONFIRM | |
| https://github.com/manuelz120/CVE-2021-45041 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/manuelz120/CVE-2021-45041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-27T22:38:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manuelz120/CVE-2021-45041"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45041",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.12.x/",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
},
{
"name": "https://docs.suitecrm.com/8.x/admin/releases/8.0/",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"name": "https://github.com/manuelz120/CVE-2021-45041",
"refsource": "MISC",
"url": "https://github.com/manuelz120/CVE-2021-45041"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45041",
"datePublished": "2021-12-19T08:34:10",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39267
Vulnerability from cvelistv5
Published
2021-08-18 00:30
Modified
2024-08-04 02:06
Severity ?
EPSS score ?
Summary
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 | x_refsource_MISC | |
| https://thanhlocpanda.wordpress.com/2021/07/31/file-upload-bypass-suitecrm-7-11-18/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:41.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://thanhlocpanda.wordpress.com/2021/07/31/file-upload-bypass-suitecrm-7-11-18/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-18T00:30:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://thanhlocpanda.wordpress.com/2021/07/31/file-upload-bypass-suitecrm-7-11-18/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-39267",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19"
},
{
"name": "https://thanhlocpanda.wordpress.com/2021/07/31/file-upload-bypass-suitecrm-7-11-18/",
"refsource": "MISC",
"url": "https://thanhlocpanda.wordpress.com/2021/07/31/file-upload-bypass-suitecrm-7-11-18/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-39267",
"datePublished": "2021-08-18T00:30:16",
"dateReserved": "2021-08-18T00:00:00",
"dateUpdated": "2024-08-04T02:06:41.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15300
Vulnerability from cvelistv5
Published
2020-11-18 21:06
Modified
2024-08-04 13:15
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:18.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-11-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-18T21:06:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15300",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15300",
"datePublished": "2020-11-18T21:06:19",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:15:18.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-49773
Vulnerability from cvelistv5
Published
2024-11-05 18:35
Modified
2024-11-05 18:59
Severity ?
EPSS score ?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-5hr4-r43c-6qf7 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:59:41.397602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:59:49.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearchWhere(). Allows for Information disclosure, including personally identifiable information. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:35:11.102Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-5hr4-r43c-6qf7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-5hr4-r43c-6qf7"
}
],
"source": {
"advisory": "GHSA-5hr4-r43c-6qf7",
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49773",
"datePublished": "2024-11-05T18:35:11.102Z",
"dateReserved": "2024-10-18T13:43:23.459Z",
"dateUpdated": "2024-11-05T18:59:49.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23940
Vulnerability from cvelistv5
Published
2022-03-07 19:06
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/manuelz120 | x_refsource_MISC | |
| https://docs.suitecrm.com/8.x/admin/releases/8.0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/manuelz120"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T19:06:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manuelz120"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23940",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/manuelz120",
"refsource": "MISC",
"url": "https://github.com/manuelz120"
},
{
"name": "https://docs.suitecrm.com/8.x/admin/releases/8.0/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23940",
"datePublished": "2022-03-07T19:06:35",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6124
Vulnerability from cvelistv5
Published
2023-11-14 14:52
Modified
2024-09-03 15:02
Severity ?
EPSS score ?
Summary
Server-Side Request Forgery (SSRF) in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.166Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/aed4d8f3-ab9a-42fd-afea-b3ec288a148e"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6124",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T15:01:00.626970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:02:37.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 8.4.2, 7.12.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T14:52:40.534Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/aed4d8f3-ab9a-42fd-afea-b3ec288a148e"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "aed4d8f3-ab9a-42fd-afea-b3ec288a148e",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6124",
"datePublished": "2023-11-14T14:52:40.534Z",
"dateReserved": "2023-11-14T14:52:21.792Z",
"dateUpdated": "2024-09-03T15:02:37.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36418
Vulnerability from cvelistv5
Published
2024-06-10 20:16
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated RCE using connectors
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.6.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T20:34:02.219023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T20:34:12.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:16:47.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w"
}
],
"source": {
"advisory": "GHSA-mfj5-37v4-vh5w",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated RCE using connectors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36418",
"datePublished": "2024-06-10T20:16:47.940Z",
"dateReserved": "2024-05-27T15:59:57.033Z",
"dateUpdated": "2024-08-02T03:37:05.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8804
Vulnerability from cvelistv5
Published
2020-02-13 15:15
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Feb/7 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T17:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8804",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "http://seclists.org/fulldisclosure/2020/Feb/7",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Feb/7"
},
{
"name": "http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8804",
"datePublished": "2020-02-13T15:15:56",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14454
Vulnerability from cvelistv5
Published
2019-10-02 11:20
Modified
2024-08-05 00:19
Severity ?
EPSS score ?
Summary
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:19:40.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-02T11:20:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14454",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14454",
"datePublished": "2019-10-02T11:20:14",
"dateReserved": "2019-07-31T00:00:00",
"dateUpdated": "2024-08-05T00:19:40.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36410
Vulnerability from cvelistv5
Published
2024-06-10 17:24
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated SQL Injection in EmailUIAjax messages count controller
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-7jj8-m2wj-m6xq | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThanOrEqual": "8.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T17:08:54.773534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T17:16:13.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:04.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-7jj8-m2wj-m6xq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-7jj8-m2wj-m6xq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:24:08.514Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-7jj8-m2wj-m6xq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-7jj8-m2wj-m6xq"
}
],
"source": {
"advisory": "GHSA-7jj8-m2wj-m6xq",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated SQL Injection in EmailUIAjax messages count controller "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36410",
"datePublished": "2024-06-10T17:24:08.514Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:04.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-50333
Vulnerability from cvelistv5
Published
2024-11-05 18:41
Modified
2024-11-05 18:57
Severity ?
EPSS score ?
Summary
RCE in ModuleBuilder in SuiteCRM
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:56:45.792796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:57:18.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:41:24.241Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89"
}
],
"source": {
"advisory": "GHSA-qrv6-3q86-qv89",
"discovery": "UNKNOWN"
},
"title": "RCE in ModuleBuilder in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-50333",
"datePublished": "2024-11-05T18:41:24.241Z",
"dateReserved": "2024-10-22T17:54:40.954Z",
"dateUpdated": "2024-11-05T18:57:18.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5350
Vulnerability from cvelistv5
Published
2023-10-03 11:45
Modified
2024-09-19 20:17
Severity ?
EPSS score ?
Summary
SQL Injection in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/c56563cb-b74e-4174-a09a-cd07689d6736"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/c43eaa311fb010b7928983e6afc6f9075c3996aa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5350",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T20:16:53.515962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T20:17:01.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-03T11:45:41.765Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/c56563cb-b74e-4174-a09a-cd07689d6736"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/c43eaa311fb010b7928983e6afc6f9075c3996aa"
}
],
"source": {
"advisory": "c56563cb-b74e-4174-a09a-cd07689d6736",
"discovery": "EXTERNAL"
},
"title": "SQL Injection in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5350",
"datePublished": "2023-10-03T11:45:41.765Z",
"dateReserved": "2023-10-03T11:45:30.368Z",
"dateUpdated": "2024-09-19T20:17:01.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3293
Vulnerability from cvelistv5
Published
2023-06-16 00:00
Modified
2024-08-02 06:48
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - Stored in salesagility/suitecrm-core
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm-core |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/22cb0ee3-e5da-40e0-9d2c-ace9b759f171"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm-core/commit/1f949f1ac2b7fe82f3c2c6071f842b804ba91929"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm-core",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to 8.3.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/22cb0ee3-e5da-40e0-9d2c-ace9b759f171"
},
{
"url": "https://github.com/salesagility/suitecrm-core/commit/1f949f1ac2b7fe82f3c2c6071f842b804ba91929"
}
],
"source": {
"advisory": "22cb0ee3-e5da-40e0-9d2c-ace9b759f171",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in salesagility/suitecrm-core"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3293",
"datePublished": "2023-06-16T00:00:00",
"dateReserved": "2023-06-16T00:00:00",
"dateUpdated": "2024-08-02T06:48:08.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36414
Vulnerability from cvelistv5
Published
2024-06-10 19:40
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated Server-Side Request Forgery
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T19:11:28.412660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T19:12:02.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T19:40:19.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-wg74-772c-8gr7"
}
],
"source": {
"advisory": "GHSA-wg74-772c-8gr7",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36414",
"datePublished": "2024-06-10T19:40:19.111Z",
"dateReserved": "2024-05-27T15:59:57.032Z",
"dateUpdated": "2024-08-02T03:37:05.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45898
Vulnerability from cvelistv5
Published
2022-01-28 16:23
Modified
2024-08-04 04:54
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/8.x/admin/releases/8.0/ | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.12.x/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:31.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-28T16:23:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/8.x/admin/releases/8.0/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.12.x/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45898",
"datePublished": "2022-01-28T16:23:34",
"dateReserved": "2021-12-27T00:00:00",
"dateUpdated": "2024-08-04T04:54:31.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41596
Vulnerability from cvelistv5
Published
2021-10-04 16:48
Modified
2024-08-04 03:15
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| https://github.com/salesagility/SuiteCRM | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22 | x_refsource_CONFIRM | |
| https://github.com/ach-ing/cves/blob/main/CVE-2021-41596.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:29.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41596.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T16:48:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41596.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41596",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "https://github.com/salesagility/SuiteCRM",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22"
},
{
"name": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41596.md",
"refsource": "MISC",
"url": "https://github.com/ach-ing/cves/blob/main/CVE-2021-41596.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41596",
"datePublished": "2021-10-04T16:48:19",
"dateReserved": "2021-09-24T00:00:00",
"dateUpdated": "2024-08-04T03:15:29.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8803
Vulnerability from cvelistv5
Published
2020-02-13 15:14
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Feb/6 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T17:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8803",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "http://seclists.org/fulldisclosure/2020/Feb/6",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Feb/6"
},
{
"name": "http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8803",
"datePublished": "2020-02-13T15:14:48",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-20816
Vulnerability from cvelistv5
Published
2019-04-05 13:05
Modified
2024-08-05 12:12
Severity ?
EPSS score ?
Summary
An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteDocs/pull/198/files | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11 | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:27.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteDocs/pull/198/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the \"add dashboard pages\" feature where users can receive a malicious attack through a phished URL, with script executed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-05T13:05:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteDocs/pull/198/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20816",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the \"add dashboard pages\" feature where users can receive a malicious attack through a phished URL, with script executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/SuiteDocs/pull/198/files",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteDocs/pull/198/files"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_11"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.8.x/#_7_8_24"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20816",
"datePublished": "2019-04-05T13:05:07",
"dateReserved": "2019-04-05T00:00:00",
"dateUpdated": "2024-08-05T12:12:27.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36416
Vulnerability from cvelistv5
Published
2024-06-10 20:03
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM v4 API Excessive log data DOS
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:7.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.4",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T14:19:10.422337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:22:47.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-jrpp-22g3-2j77",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-jrpp-22g3-2j77"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.14.x/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/kva55/CVE-2024-36416"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-779",
"description": "CWE-779: Logging of Excessive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:03:05.369Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-jrpp-22g3-2j77",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-jrpp-22g3-2j77"
},
{
"url": "https://docs.suitecrm.com/admin/releases/7.14.x/"
},
{
"url": "https://github.com/kva55/CVE-2024-36416"
}
],
"source": {
"advisory": "GHSA-jrpp-22g3-2j77",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM v4 API Excessive log data DOS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36416",
"datePublished": "2024-06-10T20:03:05.369Z",
"dateReserved": "2024-05-27T15:59:57.033Z",
"dateUpdated": "2024-08-02T03:37:05.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0754
Vulnerability from cvelistv5
Published
2022-03-07 12:45
Modified
2024-08-02 23:40
Severity ?
EPSS score ?
Summary
SQL Injection in salesagility/suitecrm
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58 | x_refsource_MISC | |
| https://huntr.dev/bounties/8afb7991-c6ed-42d9-bd9b-1cc83418df88 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8afb7991-c6ed-42d9-bd9b-1cc83418df88"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.12.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T12:45:24",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8afb7991-c6ed-42d9-bd9b-1cc83418df88"
}
],
"source": {
"advisory": "8afb7991-c6ed-42d9-bd9b-1cc83418df88",
"discovery": "EXTERNAL"
},
"title": " SQL Injection in salesagility/suitecrm",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0754",
"STATE": "PUBLIC",
"TITLE": " SQL Injection in salesagility/suitecrm"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "salesagility/suitecrm",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.12.5"
}
]
}
}
]
},
"vendor_name": "salesagility"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58",
"refsource": "MISC",
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
},
{
"name": "https://huntr.dev/bounties/8afb7991-c6ed-42d9-bd9b-1cc83418df88",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8afb7991-c6ed-42d9-bd9b-1cc83418df88"
}
]
},
"source": {
"advisory": "8afb7991-c6ed-42d9-bd9b-1cc83418df88",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0754",
"datePublished": "2022-03-07T12:45:24",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47643
Vulnerability from cvelistv5
Published
2023-11-21 19:32
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
SuiteCRM has Unauthenticated Graphql Introspection Enabled
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM-Core |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr"
},
{
"name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33"
},
{
"name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 8.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T19:32:21.571Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr"
},
{
"name": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM-Core/commit/117dd8172793a239f71c91222606bf00677eeb33"
},
{
"name": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/"
}
],
"source": {
"advisory": "GHSA-fxww-jqfv-9rrr",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Unauthenticated Graphql Introspection Enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47643",
"datePublished": "2023-11-21T19:32:21.571Z",
"dateReserved": "2023-11-07T16:57:49.246Z",
"dateUpdated": "2024-08-02T21:16:42.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8786
Vulnerability from cvelistv5
Published
2020-03-16 21:35
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-16T21:35:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8786",
"datePublished": "2020-03-16T21:35:16",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-5947
Vulnerability from cvelistv5
Published
2017-09-06 21:00
Modified
2024-08-06 07:06
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2015/08/06/6 | mailing-list, x_refsource_MLIST | |
| https://github.com/salesagility/SuiteCRM/issues/333 | x_refsource_CONFIRM | |
| https://github.com/XiphosResearch/exploits/tree/master/suiteshell | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:06:34.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5"
},
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/issues/333"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-06T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5"
},
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/issues/333"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5",
"refsource": "CONFIRM",
"url": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5"
},
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"name": "https://github.com/salesagility/SuiteCRM/issues/333",
"refsource": "CONFIRM",
"url": "https://github.com/salesagility/SuiteCRM/issues/333"
},
{
"name": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell",
"refsource": "CONFIRM",
"url": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5947",
"datePublished": "2017-09-06T21:00:00",
"dateReserved": "2015-08-06T00:00:00",
"dateUpdated": "2024-08-06T07:06:34.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14752
Vulnerability from cvelistv5
Published
2019-09-30 12:11
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:38.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-02T11:22:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14752",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14752",
"datePublished": "2019-09-30T12:11:42",
"dateReserved": "2019-08-07T00:00:00",
"dateUpdated": "2024-08-05T00:26:38.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3627
Vulnerability from cvelistv5
Published
2023-07-11 16:08
Modified
2024-10-30 14:22
Severity ?
EPSS score ?
Summary
Cross-Site Request Forgery (CSRF) in salesagility/suitecrm-core
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm-core |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/558b3dce-db03-47ba-b60b-c6eb578e04f1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm-core/commit/78285702d76317f081b1fbc59cb2754e93b9a4c3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3627",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T14:09:17.780929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T14:22:45.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm-core",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T16:08:59.618Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/558b3dce-db03-47ba-b60b-c6eb578e04f1"
},
{
"url": "https://github.com/salesagility/suitecrm-core/commit/78285702d76317f081b1fbc59cb2754e93b9a4c3"
}
],
"source": {
"advisory": "558b3dce-db03-47ba-b60b-c6eb578e04f1",
"discovery": "EXTERNAL"
},
"title": "Cross-Site Request Forgery (CSRF) in salesagility/suitecrm-core"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3627",
"datePublished": "2023-07-11T16:08:59.618Z",
"dateReserved": "2023-07-11T16:08:45.598Z",
"dateUpdated": "2024-10-30T14:22:45.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8783
Vulnerability from cvelistv5
Published
2020-03-16 21:26
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-16T21:26:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8783",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8783",
"datePublished": "2020-03-16T21:26:55",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36413
Vulnerability from cvelistv5
Published
2024-06-10 19:38
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated Reflected Cross-Site Scripting
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-ph2c-hvvf-r273 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T15:15:17.720249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T15:15:31.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-ph2c-hvvf-r273",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-ph2c-hvvf-r273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T19:39:16.879Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-ph2c-hvvf-r273",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-ph2c-hvvf-r273"
}
],
"source": {
"advisory": "GHSA-ph2c-hvvf-r273",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36413",
"datePublished": "2024-06-10T19:38:55.356Z",
"dateReserved": "2024-05-27T15:59:57.032Z",
"dateUpdated": "2024-08-02T03:37:05.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5351
Vulnerability from cvelistv5
Published
2023-10-03 11:58
Modified
2024-09-19 20:16
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - Stored in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:43.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/f7c7fcbc-5421-4a29-9385-346a1caa485b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/c43eaa311fb010b7928983e6afc6f9075c3996aa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5351",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T20:16:18.944891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T20:16:27.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-03T11:58:01.156Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/f7c7fcbc-5421-4a29-9385-346a1caa485b"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/c43eaa311fb010b7928983e6afc6f9075c3996aa"
}
],
"source": {
"advisory": "f7c7fcbc-5421-4a29-9385-346a1caa485b",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5351",
"datePublished": "2023-10-03T11:58:01.156Z",
"dateReserved": "2023-10-03T11:57:49.759Z",
"dateUpdated": "2024-09-19T20:16:27.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36408
Vulnerability from cvelistv5
Published
2024-06-10 16:46
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated SQL Injection in Alerts
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.6.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "7.14.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T20:12:45.506530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:14:39.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:46:00.935Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-2g8f-gjrr-x5cg"
}
],
"source": {
"advisory": "GHSA-2g8f-gjrr-x5cg",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated SQL Injection in Alerts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36408",
"datePublished": "2024-06-10T16:46:00.935Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:05.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-5948
Vulnerability from cvelistv5
Published
2017-09-06 21:00
Modified
2024-08-06 07:06
Severity ?
EPSS score ?
Summary
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2015/08/06/6 | mailing-list, x_refsource_MLIST | |
| https://github.com/salesagility/SuiteCRM/issues/333 | x_refsource_CONFIRM | |
| https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5 | x_refsource_MISC | |
| https://github.com/XiphosResearch/exploits/tree/master/suiteshell | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:06:34.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/issues/333"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-06T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/issues/333"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150806 Re: CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/08/06/6"
},
{
"name": "https://github.com/salesagility/SuiteCRM/issues/333",
"refsource": "CONFIRM",
"url": "https://github.com/salesagility/SuiteCRM/issues/333"
},
{
"name": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5",
"refsource": "MISC",
"url": "https://github.com/salesagility/SuiteCRM/commit/b1b3fd61c7697ad2073cd253d31c9462929e7bb5"
},
{
"name": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell",
"refsource": "CONFIRM",
"url": "https://github.com/XiphosResearch/exploits/tree/master/suiteshell"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5948",
"datePublished": "2017-09-06T21:00:00",
"dateReserved": "2015-08-06T00:00:00",
"dateUpdated": "2024-08-06T07:06:34.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36419
Vulnerability from cvelistv5
Published
2024-06-10 21:15
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM-Core Host Header Injection in /legacy
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM-Core |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T17:47:58.999931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T17:51:07.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T21:15:37.840Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-3323-hjq3-c6vc"
}
],
"source": {
"advisory": "GHSA-3323-hjq3-c6vc",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM-Core Host Header Injection in /legacy "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36419",
"datePublished": "2024-06-10T21:15:37.840Z",
"dateReserved": "2024-05-27T15:59:57.033Z",
"dateUpdated": "2024-08-02T03:37:05.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13335
Vulnerability from cvelistv5
Published
2019-10-02 11:16
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7 | x_refsource_CONFIRM | |
| https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-02T11:16:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13335",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_7"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13335",
"datePublished": "2019-10-02T11:16:24",
"dateReserved": "2019-07-05T00:00:00",
"dateUpdated": "2024-08-04T23:49:24.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45897
Vulnerability from cvelistv5
Published
2022-01-28 16:21
Modified
2024-08-04 04:54
Severity ?
EPSS score ?
Summary
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/8.x/admin/releases/8.0/ | x_refsource_MISC | |
| https://docs.suitecrm.com/admin/releases/7.12.x/ | x_refsource_MISC | |
| https://github.com/manuelz120/CVE-2021-45897 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:30.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/manuelz120/CVE-2021-45897"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-03T13:38:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manuelz120/CVE-2021-45897"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45897",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/8.x/admin/releases/8.0/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/8.x/admin/releases/8.0/"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.12.x/",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.12.x/"
},
{
"name": "https://github.com/manuelz120/CVE-2021-45897",
"refsource": "MISC",
"url": "https://github.com/manuelz120/CVE-2021-45897"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45897",
"datePublished": "2022-01-28T16:21:31",
"dateReserved": "2021-12-27T00:00:00",
"dateUpdated": "2024-08-04T04:54:30.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-50335
Vulnerability from cvelistv5
Published
2024-11-05 18:42
Modified
2024-11-05 18:56
Severity ?
EPSS score ?
Summary
Authenticated XSS in "Publish Key" Field Allowing Unauthorized Administrator User Creation in SuiteCRM
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8rw6-g96j-3w7m | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:54:28.278138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:56:13.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The \"Publish Key\" field in SuiteCRM\u0027s Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions, such as creating new administrative users without proper authentication. The vulnerability arises due to insufficient input validation and sanitization of the Publish Key field within the SuiteCRM application. When an attacker injects a malicious script, it gets executed within the context of an authenticated user\u0027s session. The injected script (o.js) then leverages the captured CSRF token to forge requests that create new administrative users, effectively compromising the integrity and security of the CRM instance. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:42:14.203Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8rw6-g96j-3w7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8rw6-g96j-3w7m"
}
],
"source": {
"advisory": "GHSA-8rw6-g96j-3w7m",
"discovery": "UNKNOWN"
},
"title": "Authenticated XSS in \"Publish Key\" Field Allowing Unauthorized Administrator User Creation in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-50335",
"datePublished": "2024-11-05T18:42:14.203Z",
"dateReserved": "2024-10-22T17:54:40.954Z",
"dateUpdated": "2024-11-05T18:56:13.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36409
Vulnerability from cvelistv5
Published
2024-06-10 17:21
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM authenticated SQL Injection in TreeData entrypoint
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-pxq4-vw23-v73f | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T20:10:05.556144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:10:21.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-pxq4-vw23-v73f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-pxq4-vw23-v73f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:21:27.796Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-pxq4-vw23-v73f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-pxq4-vw23-v73f"
}
],
"source": {
"advisory": "GHSA-pxq4-vw23-v73f",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM authenticated SQL Injection in TreeData entrypoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36409",
"datePublished": "2024-06-10T17:21:27.796Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:05.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36407
Vulnerability from cvelistv5
Published
2024-06-10 16:38
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM unauthenticated user password reset on php7
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThanOrEqual": "8.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "8.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T17:18:54.857063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T17:22:49.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:45:33.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-6p2f-wwx9-952r"
}
],
"source": {
"advisory": "GHSA-6p2f-wwx9-952r",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM unauthenticated user password reset on php7"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36407",
"datePublished": "2024-06-10T16:38:17.390Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:05.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8801
Vulnerability from cvelistv5
Published
2020-02-13 15:12
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
SuiteCRM through 7.11.11 allows PHAR Deserialization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://suitecrm.com | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Feb/4 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM through 7.11.11 allows PHAR Deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T17:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://suitecrm.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Feb/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM through 7.11.11 allows PHAR Deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://suitecrm.com",
"refsource": "MISC",
"url": "https://suitecrm.com"
},
{
"name": "http://seclists.org/fulldisclosure/2020/Feb/4",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2020/Feb/4"
},
{
"name": "http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8801",
"datePublished": "2020-02-13T15:12:21",
"dateReserved": "2020-02-07T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16922
Vulnerability from cvelistv5
Published
2019-09-27 15:12
Modified
2024-08-05 01:24
Severity ?
EPSS score ?
Summary
SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-27T15:12:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16922",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8",
"refsource": "MISC",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16922",
"datePublished": "2019-09-27T15:12:33",
"dateReserved": "2019-09-27T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0756
Vulnerability from cvelistv5
Published
2022-03-07 00:00
Modified
2024-08-02 23:40
Severity ?
EPSS score ?
Summary
Missing Authorization in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/55164a63-62e4-4fb6-b4ca-87eca14f6f31"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.12.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/55164a63-62e4-4fb6-b4ca-87eca14f6f31"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
}
],
"source": {
"advisory": "55164a63-62e4-4fb6-b4ca-87eca14f6f31",
"discovery": "EXTERNAL"
},
"title": "Missing Authorization in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0756",
"datePublished": "2022-03-07T00:00:00",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-08-02T23:40:03.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6131
Vulnerability from cvelistv5
Published
2023-11-14 16:27
Modified
2024-08-30 18:31
Severity ?
EPSS score ?
Summary
Code Injection in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/5fa50b25-f6b1-408c-99df-4442c86c563f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6131",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:28:29.198979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:31:54.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 7.12.14, 8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T16:27:57.047Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/5fa50b25-f6b1-408c-99df-4442c86c563f"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "5fa50b25-f6b1-408c-99df-4442c86c563f",
"discovery": "EXTERNAL"
},
"title": "Code Injection in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6131",
"datePublished": "2023-11-14T16:27:57.047Z",
"dateReserved": "2023-11-14T16:27:39.472Z",
"dateUpdated": "2024-08-30T18:31:54.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-49772
Vulnerability from cvelistv5
Published
2024-11-05 18:31
Modified
2024-11-05 19:00
Severity ?
EPSS score ?
Summary
Authenticated SQL injection in AM_ProjectTemplates controller in SuiteCRM
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-4xj8-hr85-hm3m | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49772",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T19:00:15.770112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T19:00:51.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database. This issue has been addressed in releases 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:31:20.615Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-4xj8-hr85-hm3m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-4xj8-hr85-hm3m"
}
],
"source": {
"advisory": "GHSA-4xj8-hr85-hm3m",
"discovery": "UNKNOWN"
},
"title": "Authenticated SQL injection in AM_ProjectTemplates controller in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49772",
"datePublished": "2024-11-05T18:31:20.615Z",
"dateReserved": "2024-10-18T13:43:23.458Z",
"dateUpdated": "2024-11-05T19:00:51.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-49774
Vulnerability from cvelistv5
Published
2024-11-05 18:37
Modified
2024-11-05 18:59
Severity ?
EPSS score ?
Summary
ModuleScanner flaws in SuiteCRM
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.7.1",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:58:36.364666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:59:06.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.6"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn\u0027t take into account all scenarios. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:37:05.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227"
}
],
"source": {
"advisory": "GHSA-9v56-vhp4-x227",
"discovery": "UNKNOWN"
},
"title": "ModuleScanner flaws in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49774",
"datePublished": "2024-11-05T18:37:05.422Z",
"dateReserved": "2024-10-18T13:43:23.459Z",
"dateUpdated": "2024-11-05T18:59:06.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-6130
Vulnerability from cvelistv5
Published
2023-11-14 16:19
Modified
2024-08-30 18:34
Severity ?
EPSS score ?
Summary
Path Traversal: '\..\filename' in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/22a27be9-f016-4daf-9887-c77eb3e1dc74"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:32:28.495984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:34:42.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.14.2, 7.12.14, 8.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T16:19:29.202Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/22a27be9-f016-4daf-9887-c77eb3e1dc74"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
}
],
"source": {
"advisory": "22a27be9-f016-4daf-9887-c77eb3e1dc74",
"discovery": "EXTERNAL"
},
"title": "Path Traversal: \u0027\\..\\filename\u0027 in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6130",
"datePublished": "2023-11-14T16:19:29.202Z",
"dateReserved": "2023-11-14T16:19:10.880Z",
"dateUpdated": "2024-08-30T18:34:42.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1034
Vulnerability from cvelistv5
Published
2023-02-25 00:00
Modified
2024-08-02 05:32
Severity ?
EPSS score ?
Summary
Path Traversal: '\..\filename' in salesagility/suitecrm
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | salesagility/suitecrm |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/0c1365bc-8d9a-4ae0-8b55-615d492b3730"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/salesagility/suitecrm/commit/c19f221a41706efc8d73cef95c5e362c4f86bf06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "salesagility/suitecrm",
"vendor": "salesagility",
"versions": [
{
"lessThan": "7.12.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository salesagility/suitecrm prior to 7.12.9."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-25T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/0c1365bc-8d9a-4ae0-8b55-615d492b3730"
},
{
"url": "https://github.com/salesagility/suitecrm/commit/c19f221a41706efc8d73cef95c5e362c4f86bf06"
}
],
"source": {
"advisory": "0c1365bc-8d9a-4ae0-8b55-615d492b3730",
"discovery": "EXTERNAL"
},
"title": "Path Traversal: \u0027\\..\\filename\u0027 in salesagility/suitecrm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-1034",
"datePublished": "2023-02-25T00:00:00",
"dateReserved": "2023-02-25T00:00:00",
"dateUpdated": "2024-08-02T05:32:46.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12601
Vulnerability from cvelistv5
Published
2019-06-07 17:33
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:24:38.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-07T17:33:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5",
"refsource": "CONFIRM",
"url": "https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12601",
"datePublished": "2019-06-07T17:33:14",
"dateReserved": "2019-06-03T00:00:00",
"dateUpdated": "2024-08-04T23:24:38.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36417
Vulnerability from cvelistv5
Published
2024-06-10 19:55
Modified
2024-08-02 03:37
Severity ?
EPSS score ?
Summary
SuiteCRM Stored XSS Vulnerability Allows Code Execution via Malicious iFrame
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| salesagility | SuiteCRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T18:48:33.576782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T18:49:00.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "salesagility",
"versions": [
{
"status": "affected",
"version": "\u003c 7.14.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T20:02:30.991Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j"
}
],
"source": {
"advisory": "GHSA-3www-6rqc-rm7j",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Stored XSS Vulnerability Allows Code Execution via Malicious iFrame"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36417",
"datePublished": "2024-06-10T19:55:56.571Z",
"dateReserved": "2024-05-27T15:59:57.033Z",
"dateUpdated": "2024-08-02T03:37:05.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}