CVE-2020-28328 – SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-28328
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. SuiteCRM versiones anteriores a 7.11.17 es vulnerable a una ejecución de código remota por medio de la configuración Log File Name de los ajustes de sistema. En determinadas circunstancias involucra la toma de control de la cuenta de administrador, la función logger_file_name puede referirse a un archivo .php controlado por el atacante en la web root SuiteCRM version 7.11.15 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/49001 http://packetstormsecurity.com/files/159937/SuiteCRM-7.11.15-Remote-Code-Execution.html http://packetstormsecurity.com/files/162975/SuiteCRM-Log-File-Remote-Code-Execution.html http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html https://github.com/mcorybillington/SuiteCRM-RCE https://suitecrm.com/suitecrm-7-11-17-7-10-28-lts-versions-released https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE https://theyhack.me/SuiteCRM- • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-18785
https://notcve.org/view.php?id=CVE-2019-18785
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. SuiteCRM versiones 7.10.x anteriores a 7.10.21 y versiones 7.11.x anteriores a 7.11.9, maneja inapropiadamente tokens y credenciales de acceso a la API. • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21 https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9 • CWE-522: Insufficiently Protected Credentials •
CVE-2019-18782
https://notcve.org/view.php?id=CVE-2019-18782
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism. SuiteCRM versiones 7.10.x anteriores a 7.10.21 y versiones 7.11.x anteriores a 7.11.9, no implementa correctamente el mecanismo de protección de .htaccess. • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21 https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_9 •
CVE-2020-8784
https://notcve.org/view.php?id=CVE-2020-8784
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4). SuiteCRM versiones 7.10.x anteriores a 7.10.23 y versiones 7.11.x anteriores a 7.11.11, permiten una Inyección SQL (problema 2 de 4). • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-8785
https://notcve.org/view.php?id=CVE-2020-8785
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4). SuiteCRM versiones 7.10.x anteriores a 7.10.23 y versiones 7.11.x anteriores a 7.11.11, permiten una Inyección SQL (problema 3 de 4). • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_11 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •