SalesagilityCVEs & Vulnerabilities

103 CVEs affecting Salesagility products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

suitecrm 139
CVE-2023-5353MEDIUM

Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.

3 Oct 2023
6.5
CVSS
CVE-2023-5351MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1.

3 Oct 2023
5.4
CVSS
CVE-2023-5350CRITICAL

SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.

3 Oct 2023
9.1
CVSS
CVE-2023-3627HIGH

Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.

11 Jul 2023
8.8
CVSS
CVE-2023-3293MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to 8.3.0.

16 Jun 2023
4.8
CVSS
CVE-2023-1034HIGH

Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.

25 Feb 2023
8.8
CVSS
CVE-2022-27474HIGH

SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.

15 Apr 2022
7.2
CVSS
CVE-2022-23940HIGH

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.

10 Mar 2022
8.8
CVSS
CVE-2022-0756MEDIUM

Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

7 Mar 2022
6.5
CVSS
CVE-2022-0755MEDIUM

Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

7 Mar 2022
4.3
CVSS
CVE-2022-0754MEDIUM

SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.

7 Mar 2022
6.5
CVSS
CVE-2021-45899CRITICAL

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.

28 Jan 2022
9.8
CVSS
CVE-2021-45898CRITICAL

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.

28 Jan 2022
9.8
CVSS
CVE-2021-45897HIGH

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.

28 Jan 2022
8.8
CVSS
CVE-2021-41597HIGH

SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.

12 Jan 2022
8.8
CVSS
CVE-2021-45903MEDIUM

A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.

28 Dec 2021
6.1
CVSS
CVE-2021-45041HIGH

SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.

19 Dec 2021
8.8
CVSS
CVE-2021-42840HIGHpoc

SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.

22 Oct 2021
8.8
CVSS
CVE-2021-41596MEDIUM

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.

4 Oct 2021
5.3
CVSS
CVE-2021-41595MEDIUM

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.

4 Oct 2021
5.3
CVSS
CVE-2021-41869HIGH

SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.

4 Oct 2021
8.8
CVSS
CVE-2021-25961HIGH

In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.

29 Sep 2021
8.0
CVSS
CVE-2021-25960HIGH

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.

29 Sep 2021
8.0
CVSS
CVE-2021-39268MEDIUM

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.

18 Aug 2021
6.1
CVSS
CVE-2021-39267MEDIUM

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.

18 Aug 2021
6.1
CVSS
CVE-2021-31792MEDIUM

XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field

1 May 2021
5.4
CVSS
CVE-2020-15300MEDIUM

SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.

19 Nov 2020
6.1
CVSS
CVE-2020-14208MEDIUM

SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.

19 Nov 2020
5.4
CVSS
CVE-2020-15301HIGH

SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.

19 Nov 2020
7.8
CVSS
CVE-2020-28328HIGHpoc

SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.

6 Nov 2020
8.8
CVSS
CVE-2019-18782MEDIUM

SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.

20 Mar 2020
5.3
CVSS
CVE-2020-8787HIGH

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.

17 Mar 2020
7.5
CVSS
CVE-2020-8786CRITICAL

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).

17 Mar 2020
9.8
CVSS
CVE-2020-8785CRITICAL

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).

17 Mar 2020
9.8
CVSS
CVE-2020-8784CRITICAL

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).

17 Mar 2020
9.8
CVSS
CVE-2020-8783CRITICAL

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).

17 Mar 2020
9.8
CVSS
CVE-2020-8804MEDIUM

SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.

13 Feb 2020
6.5
CVSS
CVE-2020-8803CRITICAL

SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.

13 Feb 2020
9.8
CVSS
CVE-2020-8802CRITICAL

SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.

13 Feb 2020
9.8
CVSS
CVE-2020-8801HIGH

SuiteCRM through 7.11.11 allows PHAR Deserialization.

13 Feb 2020
7.2
CVSS
CVE-2020-8800HIGH

SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.

13 Feb 2020
8.8
CVSS
CVE-2019-18784CRITICAL

SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.

6 Nov 2019
9.8
CVSS
CVE-2019-14454CRITICAL

SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.

2 Oct 2019
9.8
CVSS
CVE-2019-13335CRITICAL

SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.

2 Oct 2019
9.8
CVSS
CVE-2019-14752MEDIUM

SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS.

30 Sep 2019
6.1
CVSS
CVE-2019-16922MEDIUM

SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.

27 Sep 2019
5.3
CVSS
CVE-2019-12601CRITICAL

SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).

7 Jun 2019
9.8
CVSS
CVE-2019-12600CRITICAL

SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).

7 Jun 2019
9.8
CVSS