CVE-2024-49772 – Authenticated SQL injection in AM_ProjectTemplates controller in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-49772
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database. This issue has been addressed in releases 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-4xj8-hr85-hm3m • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-45392 – SuiteCRM has wrong deletion permission checks on API delete call
https://notcve.org/view.php?id=CVE-2024-45392
SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue. • https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_5 https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8qfx-h7pm-2587 • CWE-284: Improper Access Control •
CVE-2024-36418 – SuiteCRM authenticated RCE using connectors
https://notcve.org/view.php?id=CVE-2024-36418
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto. Antes de las versiones 7.14.4 y 8.6.1, una vulnerabilidad en los conectores permitía a un usuario autenticado realizar un ataque de ejecución remota de código. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-36416 – SuiteCRM v4 API Excessive log data DOS
https://notcve.org/view.php?id=CVE-2024-36416
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto. Antes de las versiones 7.14.4 y 8.6.1, un ejemplo de API v4 obsoleto sin rotación de registros permitía la denegación de servicio al registrar datos excesivos. • https://github.com/kva55/CVE-2024-36416 https://docs.suitecrm.com/admin/releases/7.14.x https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-jrpp-22g3-2j77 • CWE-779: Logging of Excessive Data •
CVE-2024-36417 – SuiteCRM Stored XSS Vulnerability Allows Code Execution via Malicious iFrame
https://notcve.org/view.php?id=CVE-2024-36417
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto. Antes de las versiones 7.14.4 y 8.6.1, se podían agregar algunas entradas a un IFrame no verificado, lo que podría permitir un ataque de Cross-Site Scripting. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •