CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45903
https://notcve.org/view.php?id=CVE-2021-45903
A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268. Un problema persistente de tipo cross-site scripting (XSS en la interfaz web de SuiteCRM versiones anteriores a 7.10.35, y en versiones 7.11.x y 7.12.x anteriores a 7.12.2, permite a un atacante remoto introducir JavaScript arbitrario por medio de la carga de archivos adjuntos, una vulnerabilidad diferente a la de CVE-2021-39267 y CVE-2021-39268 • https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_35 https://docs.suitecrm.com/admin/releases/7.12.x/#_7_12_2 https://github.com/ach-ing/cves/blob/main/CVE-2021-45903.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1CVE-2021-45041
https://notcve.org/view.php?id=CVE-2021-45041
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. SuiteCRM antes de la versión 7.12.2 y 8.x antes de la versión 8.0.1 permiten la inyección SQL autentificada a través de la acción Tooltips en el módulo Project, involucrando resource_id y start_date • https://github.com/manuelz120/CVE-2021-45041 https://docs.suitecrm.com/8.x/admin/releases/8.0 https://docs.suitecrm.com/admin/releases/7.12.x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •