CVE-2020-28328 – SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-28328
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. SuiteCRM versiones anteriores a 7.11.17 es vulnerable a una ejecución de código remota por medio de la configuración Log File Name de los ajustes de sistema. En determinadas circunstancias involucra la toma de control de la cuenta de administrador, la función logger_file_name puede referirse a un archivo .php controlado por el atacante en la web root SuiteCRM version 7.11.15 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/49001 http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html https://github.com/mcorybillington/SuiteCRM-RCE https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE https://theyhack.me/SuiteCRM- • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-8804 – SuiteCRM 7.11.10 SQL Injection
https://notcve.org/view.php?id=CVE-2020-8804
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. SuiteCRM versiones hasta 7.11.10, permite una inyección SQL por medio de la API SOAP, la interfaz EmailUIAjax o el módulo MailMerge. SuiteCRM versions 7.11.10 and below suffer from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html http://seclists.org/fulldisclosure/2020/Feb/7 https://suitecrm.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-8803 – SuiteCRM 7.11.11 Broken Access Control / Local File Inclusion
https://notcve.org/view.php?id=CVE-2020-8803
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list. SuiteCRM versiones hasta 7.11.11, permite un Salto de Directorio para incluir archivos arbitrarios .php dentro de la root web por medio de la función add_to_prospect_list. SuiteCRM versions 7.11.11 and below suffer from an add_to_prospect_list broken access control that allows for local file inclusion attacks. • http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html http://seclists.org/fulldisclosure/2020/Feb/6 https://suitecrm.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-8802 – SuiteCRM 7.11.11 Bean Manipulation
https://notcve.org/view.php?id=CVE-2020-8802
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation. SuiteCRM versiones hasta 7.11.11, presenta un Control de Acceso Incorrecto por medio de una Manipulación de Bean de action_saveHTMLField. SuiteCRM versions 7.11.11 and below suffer from an action_saveHTMLField bean manipulation vulnerability. • http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html http://seclists.org/fulldisclosure/2020/Feb/5 https://suitecrm.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-8801 – SuiteCRM 7.11.11 Phar Deserialization
https://notcve.org/view.php?id=CVE-2020-8801
SuiteCRM through 7.11.11 allows PHAR Deserialization. SuiteCRM versiones hasta 7.11.11, permite una deserialización de PHAR. SuiteCRM versions 7.11.11 and below suffer from multiple phar deserialization vulnerabilities. • http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html http://seclists.org/fulldisclosure/2020/Feb/4 https://suitecrm.com • CWE-502: Deserialization of Untrusted Data •