CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14208
https://notcve.org/view.php?id=CVE-2020-14208
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML. SuiteCRM versión 7.11.13, está afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en la funcionalidad Documents preview. Esta vulnerabilidad podría permitir a atacantes autenticados remotamente inyectar código web o HTML arbitrario • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15300
https://notcve.org/view.php?id=CVE-2020-15300
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. SuiteCRM versiones hasta 7.11.13, presenta un redireccionamiento abierto en el módulo Documents por medio de un documento SVG diseñado • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15301
https://notcve.org/view.php?id=CVE-2020-15301
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation. SuiteCRM versiones hasta 7.11.13, permite la inyección de CSV por medio de los campos de registro en los módulos Accounts, Contacts, Opportunities, y Leads. Estos campos son manejados inapropiadamente durante una operación de Descargar plantilla de archivo de importación • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 9.0EPSS: 7%CPEs: 1EXPL: 5CVE-2020-28328 – SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-28328
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. SuiteCRM versiones anteriores a 7.11.17 es vulnerable a una ejecución de código remota por medio de la configuración Log File Name de los ajustes de sistema. En determinadas circunstancias involucra la toma de control de la cuenta de administrador, la función logger_file_name puede referirse a un archivo .php controlado por el atacante en la web root SuiteCRM version 7.11.15 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/49001 http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html https://github.com/mcorybillington/SuiteCRM-RCE https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE https://theyhack.me/SuiteCRM- • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-18785
https://notcve.org/view.php?id=CVE-2019-18785
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. SuiteCRM versiones 7.10.x anteriores a 7.10.21 y versiones 7.11.x anteriores a 7.11.9, maneja inapropiadamente tokens y credenciales de acceso a la API. • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21 https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9 • CWE-522: Insufficiently Protected Credentials •