CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45903
https://notcve.org/view.php?id=CVE-2021-45903
28 Dec 2021 — A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268. Un problema persistente de tipo cross-site scripting (XSS en la interfaz web de SuiteCRM versiones anteriores a 7.10.35, y en versiones 7.11.x y 7.12.x anteriores a 7.12.2, permite a un atacante remoto introducir JavaScript arbitra... • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1CVE-2021-45041
https://notcve.org/view.php?id=CVE-2021-45041
19 Dec 2021 — SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. SuiteCRM antes de la versión 7.12.2 y 8.x antes de la versión 8.0.1 permiten la inyección SQL autentificada a través de la acción Tooltips en el módulo Project, involucrando resource_id y start_date • https://github.com/manuelz120/CVE-2021-45041 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 21%CPEs: 1EXPL: 4CVE-2021-42840 – SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2021-42840
22 Oct 2021 — SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328. SuiteCRM versiones anteriores a 7.11.19, permite una ejecución de código remota por medio de la configuración del sistema Log File Na... • https://packetstorm.news/files/id/165001 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41596
https://notcve.org/view.php?id=CVE-2021-41596
04 Oct 2021 — SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality. SuiteCRM versiones anteriores a 7.10.33 y 7.11.22 permite una divulgación de información por medio de Salto de Directorio. Un atacante puede incluir parcialmente archivos arbitrarios por medio del parámetro importFile de la funcionalidad RefreshMapping import • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41595
https://notcve.org/view.php?id=CVE-2021-41595
04 Oct 2021 — SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality. SuiteCRM versiones anteriores a 7.10.33 y 7.11.22, permite una divulgación de información por medio de Salto de Directorio. Un atacante puede incluir parcialmente archivos arbitrarios por medio del parámetro file_name de la funcionalidad Step3 import • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41869
https://notcve.org/view.php?id=CVE-2021-41869
04 Oct 2021 — SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation. SuiteCRM versiones 7.10.x anteriores a 7.10.33 y versiones 7.11.x anteriores a 7.11.22 es vulnerable a una escalada de privilegios • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25960 – SuiteCRM - CSV Injection in Accounts Module
https://notcve.org/view.php?id=CVE-2021-25960
29 Sep 2021 — In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure. En la aplicación "SuiteCRM", versiones v7.11... • https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25961 – SuiteCRM - Account Takeover in Password Reset Functionality
https://notcve.org/view.php?id=CVE-2021-25961
29 Sep 2021 — In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. En la aplicación "SuiteCRM", versiones v7.1.7 hasta v7.10.31 y versiones v7.11-beta hasta v7.11.20, falla al no comprobar apropiadamente los enlaces de restablecimiento de la contraseña asociados a un identificador de usuario eliminado, lo que... • https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39267
https://notcve.org/view.php?id=CVE-2021-39267
18 Aug 2021 — Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked. Una vulnerabilidad de tipo cross-site scripting (XSS) persistente en la interfaz web de SuiteCRM versiones anteriores a 7.11.19; permite a un atacante remoto introducir JavaScript a... • https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39268
https://notcve.org/view.php?id=CVE-2021-39268
18 Aug 2021 — Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed. Una vulnerabilidad de tipo cross-site scripting (XSS) persistente en la interfaz web de SuiteCRM versiones anteriores a 7.11.19; permite a un atacante remoto introducir JavaScript arbitrario por medio de archivos SVG maliciosos. Esto ocurre porque el mecanismo d... • https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •