CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45903
https://notcve.org/view.php?id=CVE-2021-45903
28 Dec 2021 — A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268. Un problema persistente de tipo cross-site scripting (XSS en la interfaz web de SuiteCRM versiones anteriores a 7.10.35, y en versiones 7.11.x y 7.12.x anteriores a 7.12.2, permite a un atacante remoto introducir JavaScript arbitra... • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 19%CPEs: 6EXPL: 1CVE-2021-45041
https://notcve.org/view.php?id=CVE-2021-45041
19 Dec 2021 — SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. SuiteCRM antes de la versión 7.12.2 y 8.x antes de la versión 8.0.1 permiten la inyección SQL autentificada a través de la acción Tooltips en el módulo Project, involucrando resource_id y start_date • https://github.com/manuelz120/CVE-2021-45041 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 47%CPEs: 1EXPL: 4CVE-2021-42840 – SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2021-42840
22 Oct 2021 — SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328. SuiteCRM versiones anteriores a 7.11.19, permite una ejecución de código remota por medio de la configuración del sistema Log File Na... • https://packetstorm.news/files/id/165001 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41596
https://notcve.org/view.php?id=CVE-2021-41596
04 Oct 2021 — SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality. SuiteCRM versiones anteriores a 7.10.33 y 7.11.22 permite una divulgación de información por medio de Salto de Directorio. Un atacante puede incluir parcialmente archivos arbitrarios por medio del parámetro importFile de la funcionalidad RefreshMapping import • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41595
https://notcve.org/view.php?id=CVE-2021-41595
04 Oct 2021 — SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality. SuiteCRM versiones anteriores a 7.10.33 y 7.11.22, permite una divulgación de información por medio de Salto de Directorio. Un atacante puede incluir parcialmente archivos arbitrarios por medio del parámetro file_name de la funcionalidad Step3 import • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41869
https://notcve.org/view.php?id=CVE-2021-41869
04 Oct 2021 — SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation. SuiteCRM versiones 7.10.x anteriores a 7.10.33 y versiones 7.11.x anteriores a 7.11.22 es vulnerable a una escalada de privilegios • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33 •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25961 – SuiteCRM - Account Takeover in Password Reset Functionality
https://notcve.org/view.php?id=CVE-2021-25961
29 Sep 2021 — In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. En la aplicación "SuiteCRM", versiones v7.1.7 hasta v7.10.31 y versiones v7.11-beta hasta v7.11.20, falla al no comprobar apropiadamente los enlaces de restablecimiento de la contraseña asociados a un identificador de usuario eliminado, lo que... • https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39267
https://notcve.org/view.php?id=CVE-2021-39267
18 Aug 2021 — Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked. Una vulnerabilidad de tipo cross-site scripting (XSS) persistente en la interfaz web de SuiteCRM versiones anteriores a 7.11.19; permite a un atacante remoto introducir JavaScript a... • https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39268
https://notcve.org/view.php?id=CVE-2021-39268
18 Aug 2021 — Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed. Una vulnerabilidad de tipo cross-site scripting (XSS) persistente en la interfaz web de SuiteCRM versiones anteriores a 7.11.19; permite a un atacante remoto introducir JavaScript arbitrario por medio de archivos SVG maliciosos. Esto ocurre porque el mecanismo d... • https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-31792
https://notcve.org/view.php?id=CVE-2021-31792
30 Apr 2021 — XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field Una vulnerabilidad de tipo XSS en la página client account en SuiteCRM versiones anteriores al 7.11.19, permite a un atacante inyectar JavaScript por medio del campo name. • https://chris-forbes.github.io/CVE-2021-31792 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •