CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-50335 – Authenticated XSS in "Publish Key" Field Allowing Unauthorized Administrator User Creation in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50335
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions, such as creating new administrative users without proper authentication. The vulnerability arises due to insufficient input validation and sanitization of the P... • https://github.com/shellkraft/CVE-2024-50335 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50333 – RCE in ModuleBuilder in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50333
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50332 – Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50332
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49774 – ModuleScanner flaws in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-49774
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against blacklists. But it doesn't take into account all scenarios. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-9v56-vhp4-x227 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49773 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-49773
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearchWhere(). Allows for Information disclosure, including personally identifiable information. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-5hr4-r43c-6qf7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49772 – Authenticated SQL injection in AM_ProjectTemplates controller in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-49772
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor input validation allows authenticated user do a SQL injection attack. Authenticated user with low pivilege can leak all data in database. This issue has been addressed in releases 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-4xj8-hr85-hm3m • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45392 – SuiteCRM has wrong deletion permission checks on API delete call
https://notcve.org/view.php?id=CVE-2024-45392
05 Sep 2024 — SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue. • https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_5 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36418 – SuiteCRM authenticated RCE using connectors
https://notcve.org/view.php?id=CVE-2024-36418
10 Jun 2024 — SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto. Antes de las versiones 7.14.4 y 8.6.1, una vulnerabilidad en los conectores permitía a un usuario autenticado realizar un ataq... • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-mfj5-37v4-vh5w • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 1CVE-2024-36416 – SuiteCRM v4 API Excessive log data DOS
https://notcve.org/view.php?id=CVE-2024-36416
10 Jun 2024 — SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto. Antes de las versiones 7.14.4 y 8.6.1, un ejemplo de API v4 obsoleto sin rotación de registros permitía la denegación de servic... • https://github.com/kva55/CVE-2024-36416 • CWE-779: Logging of Excessive Data •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36417 – SuiteCRM Stored XSS Vulnerability Allows Code Execution via Malicious iFrame
https://notcve.org/view.php?id=CVE-2024-36417
10 Jun 2024 — SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto. Antes de las versiones 7.14.4 y 8.6.1, se podían agregar algunas entradas a un IFrame no verificado, lo que podría permitir... • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-3www-6rqc-rm7j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •