CVE-2020-8804 – SuiteCRM 7.11.10 SQL Injection
https://notcve.org/view.php?id=CVE-2020-8804
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. SuiteCRM versiones hasta 7.11.10, permite una inyección SQL por medio de la API SOAP, la interfaz EmailUIAjax o el módulo MailMerge. SuiteCRM versions 7.11.10 and below suffer from multiple remote SQL injection vulnerabilities. • http://packetstormsecurity.com/files/156331/SuiteCRM-7.11.10-SQL-Injection.html http://seclists.org/fulldisclosure/2020/Feb/7 https://suitecrm.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-8803 – SuiteCRM 7.11.11 Broken Access Control / Local File Inclusion
https://notcve.org/view.php?id=CVE-2020-8803
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list. SuiteCRM versiones hasta 7.11.11, permite un Salto de Directorio para incluir archivos arbitrarios .php dentro de la root web por medio de la función add_to_prospect_list. SuiteCRM versions 7.11.11 and below suffer from an add_to_prospect_list broken access control that allows for local file inclusion attacks. • http://packetstormsecurity.com/files/156329/SuiteCRM-7.11.11-Broken-Access-Control-Local-File-Inclusion.html http://seclists.org/fulldisclosure/2020/Feb/6 https://suitecrm.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-8802 – SuiteCRM 7.11.11 Bean Manipulation
https://notcve.org/view.php?id=CVE-2020-8802
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation. SuiteCRM versiones hasta 7.11.11, presenta un Control de Acceso Incorrecto por medio de una Manipulación de Bean de action_saveHTMLField. SuiteCRM versions 7.11.11 and below suffer from an action_saveHTMLField bean manipulation vulnerability. • http://packetstormsecurity.com/files/156327/SuiteCRM-7.11.11-Bean-Manipulation.html http://seclists.org/fulldisclosure/2020/Feb/5 https://suitecrm.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-8801 – SuiteCRM 7.11.11 Phar Deserialization
https://notcve.org/view.php?id=CVE-2020-8801
SuiteCRM through 7.11.11 allows PHAR Deserialization. SuiteCRM versiones hasta 7.11.11, permite una deserialización de PHAR. SuiteCRM versions 7.11.11 and below suffer from multiple phar deserialization vulnerabilities. • http://packetstormsecurity.com/files/156324/SuiteCRM-7.11.11-Phar-Deserialization.html http://seclists.org/fulldisclosure/2020/Feb/4 https://suitecrm.com • CWE-502: Deserialization of Untrusted Data •
CVE-2020-8800 – SuiteCRM 7.11.11 Second-Order PHP Object Injection
https://notcve.org/view.php?id=CVE-2020-8800
SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection. SuiteCRM versiones hasta 7.11.11, permite una Inyección de objeto PHP de la función EmailsControllerActionGetFromFields. SuiteCRM versions 7.11.11 and below suffer from a second-order php object injection vulnerability. • http://packetstormsecurity.com/files/156321/SuiteCRM-7.11.11-Second-Order-PHP-Object-Injection.html https://seclists.org/fulldisclosure/2020/Feb/3 https://suitecrm.com • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •