RSS   Vulnerabilities for 'Suitecrm'   RSS

2022-04-15
 
CVE-2022-27474

NVD-CWE-noinfo
 

 
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.

 
2022-03-10
 
CVE-2022-23940

CWE-502
 

 
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.

 
2022-03-07
 
CVE-2022-0754

CWE-89
 

 
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.

 
 
CVE-2022-0755

CWE-287
 

 
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.12.5.

 
 
CVE-2022-0756

CWE-863
 

 
Improper Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

 
2022-01-28
 
CVE-2021-45897

NVD-CWE-noinfo
 

 
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.

 
 
CVE-2021-45898

NVD-CWE-noinfo
 

 
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.

 
 
CVE-2021-45899

CWE-502
 

 
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.

 
2022-01-12
 
CVE-2021-41597

CWE-352
 

 
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

 
2021-12-19
 
CVE-2021-45041

CWE-89
 

 
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.

 


Copyright 2024, cxsecurity.com

 

Back to Top