Page 7 of 35 results (0.006 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution. • https://github.com/manuelz120/CVE-2022-23940 https://docs.suitecrm.com/8.x/admin/releases/8.0 https://github.com/manuelz120 • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution. SuiteCRM versiones anteriores a 7.12.3 y 8.x versiones anteriores a 8.0.2, permite una deserialización de PHAR que puede conllevar a una ejecución de código remota • https://docs.suitecrm.com/8.x/admin/releases/8.0 https://docs.suitecrm.com/admin/releases/7.12.x • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion. SuiteCRM versiones anteriores a 7.12.3 y 8.x versiones anteriores a 8.0.2, permite una inclusión de archivos locales • https://docs.suitecrm.com/8.x/admin/releases/8.0 https://docs.suitecrm.com/admin/releases/7.12.x •

CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution. SuiteCRM versiones anteriores a 7.12.3 y 8.x versiones anteriores a 8.0.2, permite una ejecución de código remota • https://github.com/manuelz120/CVE-2021-45897 https://docs.suitecrm.com/8.x/admin/releases/8.0 https://docs.suitecrm.com/admin/releases/7.12.x •

CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1

SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. SuiteCRM antes de la versión 7.12.2 y 8.x antes de la versión 8.0.1 permiten la inyección SQL autentificada a través de la acción Tooltips en el módulo Project, involucrando resource_id y start_date • https://github.com/manuelz120/CVE-2021-45041 https://docs.suitecrm.com/8.x/admin/releases/8.0 https://docs.suitecrm.com/admin/releases/7.12.x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •