pkg:Bitnami/suitecrm

All known vulnerabilities

• CRITICAL9.8CVE-2024-36412SuiteCRM unauthenticated SQL Injection
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• CRITICAL9.8CVE-2020-8783SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8CVE-2020-8784SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
  from 0, < 7.11.12
• CRITICAL9.8SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
  from 0, < 7.11.12
• CRITICAL9.8SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
  from 0, < 7.12.3, >= 8.0.0, < 8.0.2
• CRITICAL9.8SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
  from 0, < 7.12.3, >= 8.0.0, < 8.0.2
• CRITICAL9.8Code Injection in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• CRITICAL9.1SQL Injection in salesagility/suitecrm
  from 0, < 7.14.1
• CRITICAL9.0SuiteCRM Stored XSS Vulnerability Allows Code Execution via Malicious iFrame
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8An issue was discovered in SuiteCRM 7.12.7.
  >= 7.12.7, <= 7.12.7
• HIGH8.8Suite CRM v7.14.2 - RCE via Local File Inclusion
  >= 7.14.2, < 7.14.3
• HIGH8.8Authenticated SQL injection in AM_ProjectTemplates controller in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH8.8Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH8.8RCE in ModuleBuilder in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH8.8SuiteCRM authenticated SQL Injection in Alerts
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8SuiteCRM authenticated SQL Injection in TreeData entrypoint
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8SuiteCRM authenticated SQL Injection in EmailUIAjax messages count controller
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8SuiteCRM authenticated SQL Injection in EmailUIAjax displayView controller
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8SuiteCRM authenticated RCE using connectors
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting.
  from 0, < 7.11.17
• HIGH8.8SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
  from 0, < 7.11.12
• HIGH8.8SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is…
  >= 7.10.0, < 7.10.35, >= 7.12.0, < 7.12.2
• HIGH8.8SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
  >= 7.10.0, < 7.10.33, >= 7.11.0, < 7.11.22
• HIGH8.8SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting.
  from 0, < 7.11.19
• HIGH8.8SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving res…
  from 0, < 7.12.2 | >= 8.0.0, <= 8.0.0
• HIGH8.8SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
  from 0, < 7.12.3, >= 8.0.0, < 8.0.2
• HIGH8.8SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution.
  from 0, < 7.12.5, >= 8.0.0, < 8.0.4
• HIGH8.8Path Traversal: '\..\filename' in salesagility/suitecrm
  from 0, < 7.12.9
• HIGH8.8Cross-Site Request Forgery (CSRF) in salesagility/suitecrm-core
  from 0, < 8.3.1
• HIGH8.8Code Injection in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• HIGH8.8Path Traversal: '\..\filename' in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• HIGH8.8Code Injection in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• HIGH8.1An issue was discovered in SuiteCRM 7.12.7.
  >= 7.12.7, <= 7.12.7
• HIGH8.0SuiteCRM - CSV Injection in Accounts Module
  >= 7.10.29, < 7.10.32, >= 7.11.18, < 7.11.21
• HIGH8.0SuiteCRM - Account Takeover in Password Reset Functionality
  >= 7.1.7, < 7.10.32, >= 7.11.0, < 7.11.21
• HIGH7.8SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules.
  from 0, < 7.11.14
• HIGH7.5SuiteCRM v4 API Excessive log data DOS
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH7.5SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• HIGH7.2ModuleScanner flaws in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH7.2SuiteCRM through 7.11.11 allows PHAR Deserialization.
  from 0, < 7.11.12
• HIGH7.2SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
  >= 7.11.23, < 7.11.24
• MEDIUM6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• MEDIUM6.5SuiteCRM unauthenticated user password reset on php7
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM6.5SuiteCRM authenticated Server-Side Request Forgery
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM6.5SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
  from 0, < 7.11.11
• MEDIUM6.5SQL Injection in salesagility/suitecrm
  from 0, < 7.12.5
• MEDIUM6.5Missing Authorization in salesagility/suitecrm
  from 0, < 7.12.5
• MEDIUM6.5Improper Access Control in salesagility/suitecrm
  from 0, < 7.14.1
• MEDIUM6.1SuiteCRM-Core Host Header Injection in /legacy
  from 0, < 8.6.1
• MEDIUM6.1SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
  from 0, < 7.11.14
• MEDIUM6.1Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaS…
  from 0, < 7.11.19
• MEDIUM6.1Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaS…
  from 0, < 7.11.19
• MEDIUM6.1A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows…
  from 0, < 7.10.35, >= 7.11.0, < 7.12.2
• MEDIUM5.4Authenticated XSS in "Publish Key" Field Allowing Unauthorized Administrator User Creation in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• MEDIUM5.4SuiteCRM vulnerable to open redirects
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM5.4SuiteCRM authenticated Reflected Cross-Site Scripting
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM5.4SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality.
  from 0, < 7.11.14
• MEDIUM5.4XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
  from 0, < 7.11.19
• MEDIUM5.4Cross-site Scripting (XSS) - Stored in salesagility/suitecrm
  from 0, < 7.14.1
• MEDIUM5.4Unrestricted Upload of File with Dangerous Type in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• MEDIUM5.4Cross-site Scripting (XSS) - Reflected in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• MEDIUM5.3SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data
  >= 7.14.6, < 7.14.7, >= 8.8.0, < 8.8.1
• MEDIUM5.3SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal.
  from 0, < 7.10.33, >= 7.11.0, < 7.11.22
• MEDIUM5.3SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal.
  from 0, < 7.10.33, >= 7.11.0, < 7.11.22
• MEDIUM5.3SuiteCRM has Unauthenticated Graphql Introspection Enabled
  >= 8.4.1, < 8.4.2
• MEDIUM5.0Suite CRM v7.14.2 - SSRF
  >= 7.14.2, < 7.14.3
• MEDIUM4.8Cross-site Scripting (XSS) - Stored in salesagility/suitecrm-core
  >= 8.0.0, < 8.0.3
• MEDIUM4.3SuiteCRM has wrong deletion permission checks on API delete call
  from 0, < 7.14.5, >= 8.0.0, < 8.6.2
• MEDIUM4.3Missing Authorization in salesagility/suitecrm
  from 0, < 7.12.5
• MEDIUM4.3Server-Side Request Forgery (SSRF) in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2