CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-31792
https://notcve.org/view.php?id=CVE-2021-31792
30 Apr 2021 — XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field Una vulnerabilidad de tipo XSS en la página client account en SuiteCRM versiones anteriores al 7.11.19, permite a un atacante inyectar JavaScript por medio del campo name. • https://chris-forbes.github.io/CVE-2021-31792 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14208
https://notcve.org/view.php?id=CVE-2020-14208
18 Nov 2020 — SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML. SuiteCRM versión 7.11.13, está afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en la funcionalidad Documents preview. Esta vulnerabilidad podría permitir a atacantes autenticados remotamente inyectar código web o HTML arbitrario • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15300
https://notcve.org/view.php?id=CVE-2020-15300
18 Nov 2020 — SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. SuiteCRM versiones hasta 7.11.13, presenta un redireccionamiento abierto en el módulo Documents por medio de un documento SVG diseñado • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-009 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15301
https://notcve.org/view.php?id=CVE-2020-15301
18 Nov 2020 — SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation. SuiteCRM versiones hasta 7.11.13, permite la inyección de CSV por medio de los campos de registro en los módulos Accounts, Contacts, Opportunities, y Leads. Estos campos son manejados inapropiadamente durante una operación de Descargar plantilla de archivo de importación • https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-010 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 9.0EPSS: 21%CPEs: 1EXPL: 8CVE-2020-28328 – SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-28328
06 Nov 2020 — SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. SuiteCRM versiones anteriores a 7.11.17 es vulnerable a una ejecución de código remota por medio de la configuración Log File Name de los ajustes de sistema. En determinadas circunstancias involucra la toma de control de la cuenta de administrador, la fun... • https://packetstorm.news/files/id/162975 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-18785
https://notcve.org/view.php?id=CVE-2019-18785
20 Mar 2020 — SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. SuiteCRM versiones 7.10.x anteriores a 7.10.21 y versiones 7.11.x anteriores a 7.11.9, maneja inapropiadamente tokens y credenciales de acceso a la API. • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-18782
https://notcve.org/view.php?id=CVE-2019-18782
20 Mar 2020 — SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism. SuiteCRM versiones 7.10.x anteriores a 7.10.21 y versiones 7.11.x anteriores a 7.11.9, no implementa correctamente el mecanismo de protección de .htaccess. • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_21 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8784
https://notcve.org/view.php?id=CVE-2020-8784
16 Mar 2020 — SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4). SuiteCRM versiones 7.10.x anteriores a 7.10.23 y versiones 7.11.x anteriores a 7.11.11, permiten una Inyección SQL (problema 2 de 4). • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8785
https://notcve.org/view.php?id=CVE-2020-8785
16 Mar 2020 — SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4). SuiteCRM versiones 7.10.x anteriores a 7.10.23 y versiones 7.11.x anteriores a 7.11.11, permiten una Inyección SQL (problema 3 de 4). • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8786
https://notcve.org/view.php?id=CVE-2020-8786
16 Mar 2020 — SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4). SuiteCRM versiones 7.10.x anteriores a 7.10.23 y versiones 7.11.x anteriores a 7.11.11, permiten una Inyección SQL (problema 4 de 4). • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •