📦 Suitecrm

This is a critical SQL injection vulnerability in SuiteCRM's export functionality that allows unauthenticated remote attackers to execute arbitrary SQL commands. Successful exploitation can lead to re...

This vulnerability in SuiteCRM allows attackers to upload malicious files that bypass verification checks, leading to remote code execution. All SuiteCRM instances prior to versions 7.14.4 and 8.6.1 a...

This is a critical SQL injection vulnerability in SuiteCRM that allows attackers to execute arbitrary SQL commands through the events response entry point. All SuiteCRM instances running versions prio...

This CVE describes a SQL injection vulnerability in SuiteCRM's Tree data entry point due to poor input validation. Attackers can execute arbitrary SQL commands, potentially compromising the database. ...

This CVE describes a SQL injection vulnerability in SuiteCRM's Alerts controller due to poor input validation. Attackers can execute arbitrary SQL commands, potentially compromising the CRM database. ...

Suite CRM version 7.14.2 contains a Local File Inclusion (LFI) vulnerability that allows attackers to include and execute arbitrary PHP files from the local filesystem. This affects all organizations ...

This CVE describes a SQL injection vulnerability in SuiteCRM versions prior to 7.14.1. Attackers can inject malicious SQL queries through user-controlled inputs, potentially allowing unauthorized data...

This vulnerability allows attackers to include local files on the server through SuiteCRM, potentially leading to sensitive information disclosure or remote code execution. It affects SuiteCRM install...

SuiteCRM versions 8.9.0 and below contain a time-based blind SQL injection vulnerability that allows authenticated attackers to infer database information by measuring response time differences. This ...

SuiteCRM versions 7.14.7 and prior, and 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions remain active after account deactivation. This allows deactivated us...

SuiteCRM versions 7.14.7 and prior, and 8.0.0-beta.1 through 8.9.0 have an access control vulnerability where low-privileged users can view and create work items through Resource Calendar and project ...

This SQL injection vulnerability in SuiteCRM allows attackers to manipulate SQL queries via malicious call_id parameters, potentially leading to unauthorized data access, database compromise, and data...

This SQL injection vulnerability in SuiteCRM's InboundEmail module allows attackers to execute arbitrary database queries. All SuiteCRM instances running versions below 7.14.7 are affected, potentiall...

SuiteCRM versions 7.14.6 and 8.8.0 contain an insecure deserialization vulnerability where user input is passed directly to PHP's unserialize() function without proper validation. This allows attacker...

SuiteCRM 7.12.7 contains an authenticated file upload vulnerability that allows authenticated users to upload malicious files. When combined with insecure deserialization, this can lead to remote code...

SuiteCRM 7.12.7 contains an authenticated data disclosure vulnerability that allows authenticated users to retrieve arbitrary database fields they shouldn't have access to. This affects all organizati...

SuiteCRM versions before 7.14.6 and 8.7.1 contain a vulnerability in their malicious MLP (Module Loadable Package) prevention mechanism. Attackers can bypass the function/method blacklist using specif...

SuiteCRM versions 7.14.4 have a SQL injection vulnerability that allows authenticated users with low privileges to execute arbitrary SQL queries. This can lead to complete database compromise, exposin...

SuiteCRM versions before 7.14.5 and 8.6.2 have an insufficient access control vulnerability in the API that allows authenticated attackers to delete records they shouldn't have permission to delete. T...

This vulnerability in SuiteCRM allows authenticated users to execute arbitrary code remotely through connectors. It affects all SuiteCRM installations prior to versions 7.14.4 and 8.6.1. Attackers wit...

This vulnerability in SuiteCRM allows attackers to perform server-side request forgery (SSRF) attacks through the connectors file verification feature. It affects all SuiteCRM installations prior to v...

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in SuiteCRM Core that allows attackers to trick authenticated users into performing unintended actions. Attackers can exploit this ...

CVE-2022-27474 is a remote code execution vulnerability in SuiteCRM v7.11.23 that allows attackers to execute arbitrary code by injecting a crafted payload into the FirstName text field. This affects ...

This vulnerability allows remote attackers to execute arbitrary code on SuiteCRM installations. It affects SuiteCRM versions before 7.12.3 and 8.x before 8.0.2. Attackers can exploit this without auth...

SuiteCRM versions before 7.11.19 allow remote code execution via the Log File Name setting in system settings. Attackers who compromise admin accounts can set logger_file_name to point to malicious PH...

This is a CSV injection vulnerability in SuiteCRM that allows low-privileged attackers to inject malicious formulas into input fields. When an administrator exports account data as a CSV file and open...

SuiteCRM versions 8.6.0 through 8.9.0 contain an authenticated blind SQL injection vulnerability in the GraphQL API's appMetadata operation. This allows authenticated users (without administrative pri...

SuiteCRM versions 7.14.7 and below contain an unauthenticated reflected XSS vulnerability that allows attackers to execute arbitrary JavaScript in victims' browsers. This could lead to credential thef...

This vulnerability allows remote unauthenticated attackers to exploit a type confusion flaw in SuiteCRM's deleteAttachment functionality to modify database objects. Attackers could change administrato...

This reflected XSS vulnerability in SuiteCRM v7.14.1 allows attackers to execute arbitrary JavaScript code by manipulating the HTTP Referer header. The vulnerability affects all users of the vulnerabl...

SuiteCRM versions 7.14.0 through 7.14.6 contain a stored XSS vulnerability in the email viewer. An attacker can send a malicious email that executes JavaScript when viewed by any authenticated user, p...

SuiteCRM versions 7.14.6 and below contain a reflected cross-site scripting (XSS) vulnerability that allows attackers to execute arbitrary JavaScript code by manipulating the HTTP Referer header. This...

SuiteCRM has an input validation vulnerability in the ParserLabel::addLabels() function that allows attackers to write arbitrary data to custom language files. This can lead to remote code execution w...

SuiteCRM versions before 8.6.1 contain a Host Header Injection vulnerability in the /legacy route. This allows attackers to manipulate host headers to potentially redirect users to malicious sites or ...

SuiteCRM versions before 7.14.4 and 8.6.1 allow unverified IFrames in certain input fields, enabling cross-site scripting (XSS) attacks. This vulnerability affects all SuiteCRM users running vulnerabl...

SuiteCRM versions before 7.14.4 and 8.6.1 contain an open redirect vulnerability due to unchecked input. This allows attackers to redirect users to malicious websites after they click on manipulated l...