CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 1CVE-2024-50335 – Authenticated XSS in "Publish Key" Field Allowing Unauthorized Administrator User Creation in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50335
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions, such as creating new administrative users without proper authentication. The vulnerability arises due to insufficient input validation and sanitization of the Publish Key field within the SuiteCRM application. When an attacker injects a malicious script, it gets executed within the context of an authenticated user's session. • https://github.com/shellkraft/CVE-2024-50335 https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-8rw6-g96j-3w7m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50333 – RCE in ModuleBuilder in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50333
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50332 – Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50332
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49774 – ModuleScanner flaws in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-49774
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49773 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-49773
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearchWhere(). Allows for Information disclosure, including personally identifiable information. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-5hr4-r43c-6qf7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •