Suitecrm
Monthly
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.
SuiteCRM versions prior to 8.9.3 contain an access control bypass in the RecordHandler::getRecord() method that allows authenticated users to retrieve any record from the system without proper ACL view permission checks. An attacker with valid credentials can enumerate and read sensitive customer data, financial records, or other confidential information across all modules by directly calling the vulnerable method. The vulnerability has a CVSS score of 6.5 (medium-high) and is information disclosure in nature with no active exploitation reports or public proof-of-concept available at this time.
A critical access control vulnerability exists in the SuiteCRM REST API V8 where multiple endpoints lack proper ACL (Access Control List) validation, enabling authenticated users to access and modify data beyond their authorized permissions. This affects SuiteCRM versions prior to 7.15.1 and 8.9.3, allowing privilege escalation within the CRM system where low-privileged users can potentially access sensitive customer data, modify records, or perform administrative actions. With a CVSS score of 8.1 and authentication bypass capabilities, this represents a significant security risk for organizations using affected versions.
SuiteCRM prior to version 8.9.3 contains an authenticated information disclosure vulnerability in an API endpoint that allows any authenticated user to retrieve sensitive user data including password hashes, usernames, and MFA configurations of other users. This enables attackers with valid credentials to enumerate and potentially crack administrative user passwords, escalating privileges within the CRM system. The vulnerability requires authentication but no additional user interaction, making it a practical attack vector for insider threats or compromised low-privilege accounts.
Server-Side Request Forgery in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to craft malicious PDF templates containing image tags that trigger server-side HTTP requests when PDFs are generated. An attacker with login credentials can exploit this to scan internal networks, access local services, or exfiltrate data from the server's perspective. No patch is currently available for affected versions.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a stored cross-site scripting (XSS) vulnerability in the return_id request parameter, which is insufficiently sanitized before being reflected into HTML event handler attributes. An authenticated attacker with high privileges can craft malicious payloads that execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. While this vulnerability requires authenticated access and user interaction to trigger, it affects a widely-deployed open-source CRM platform used by many enterprises.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application.
An authenticated remote code execution vulnerability exists in SuiteCRM modules that allows high-privileged users to execute arbitrary code on the server. The vulnerability affects SuiteCRM versions prior to 7.15.1 and 8.9.3, and stems from improper code injection protections (CWE-94). While exploitation requires high privileges (admin-level), successful attacks grant complete control over the CRM system containing sensitive customer data.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a denial-of-service vulnerability that allows authenticated attackers with high privileges to crash the application through path traversal manipulation. An attacker with administrative credentials can exploit this remotely to disrupt service availability without requiring user interaction. No patch is currently available for this vulnerability.
A reflected HTML injection vulnerability exists in the login page of SuiteCRM 7.15.0, allowing attackers to inject arbitrary HTML content that can be used for phishing attacks and page defacement. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication, affecting this specific version of the open-source CRM platform. While no active exploitation has been reported in KEV and no public POC is mentioned, the vulnerability presents a moderate risk for targeted phishing campaigns.
The RSS Feed Dashlet in SuiteCRM versions before 7.15.1 and 8.9.3 is vulnerable to a server-side request forgery (SSRF) attack that can be exploited to trigger denial of service conditions. An unauthenticated remote attacker can leverage this vulnerability to disrupt service availability without requiring user interaction. No patch is currently available for this high-severity vulnerability affecting enterprise CRM deployments.
A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.
SuiteCRM versions prior to 8.9.3 contain an access control bypass in the RecordHandler::getRecord() method that allows authenticated users to retrieve any record from the system without proper ACL view permission checks. An attacker with valid credentials can enumerate and read sensitive customer data, financial records, or other confidential information across all modules by directly calling the vulnerable method. The vulnerability has a CVSS score of 6.5 (medium-high) and is information disclosure in nature with no active exploitation reports or public proof-of-concept available at this time.
A critical access control vulnerability exists in the SuiteCRM REST API V8 where multiple endpoints lack proper ACL (Access Control List) validation, enabling authenticated users to access and modify data beyond their authorized permissions. This affects SuiteCRM versions prior to 7.15.1 and 8.9.3, allowing privilege escalation within the CRM system where low-privileged users can potentially access sensitive customer data, modify records, or perform administrative actions. With a CVSS score of 8.1 and authentication bypass capabilities, this represents a significant security risk for organizations using affected versions.
SuiteCRM prior to version 8.9.3 contains an authenticated information disclosure vulnerability in an API endpoint that allows any authenticated user to retrieve sensitive user data including password hashes, usernames, and MFA configurations of other users. This enables attackers with valid credentials to enumerate and potentially crack administrative user passwords, escalating privileges within the CRM system. The vulnerability requires authentication but no additional user interaction, making it a practical attack vector for insider threats or compromised low-privilege accounts.
Server-Side Request Forgery in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to craft malicious PDF templates containing image tags that trigger server-side HTTP requests when PDFs are generated. An attacker with login credentials can exploit this to scan internal networks, access local services, or exfiltrate data from the server's perspective. No patch is currently available for affected versions.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a stored cross-site scripting (XSS) vulnerability in the return_id request parameter, which is insufficiently sanitized before being reflected into HTML event handler attributes. An authenticated attacker with high privileges can craft malicious payloads that execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. While this vulnerability requires authenticated access and user interaction to trigger, it affects a widely-deployed open-source CRM platform used by many enterprises.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application.
An authenticated remote code execution vulnerability exists in SuiteCRM modules that allows high-privileged users to execute arbitrary code on the server. The vulnerability affects SuiteCRM versions prior to 7.15.1 and 8.9.3, and stems from improper code injection protections (CWE-94). While exploitation requires high privileges (admin-level), successful attacks grant complete control over the CRM system containing sensitive customer data.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a denial-of-service vulnerability that allows authenticated attackers with high privileges to crash the application through path traversal manipulation. An attacker with administrative credentials can exploit this remotely to disrupt service availability without requiring user interaction. No patch is currently available for this vulnerability.
A reflected HTML injection vulnerability exists in the login page of SuiteCRM 7.15.0, allowing attackers to inject arbitrary HTML content that can be used for phishing attacks and page defacement. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication, affecting this specific version of the open-source CRM platform. While no active exploitation has been reported in KEV and no public POC is mentioned, the vulnerability presents a moderate risk for targeted phishing campaigns.
The RSS Feed Dashlet in SuiteCRM versions before 7.15.1 and 8.9.3 is vulnerable to a server-side request forgery (SSRF) attack that can be exploited to trigger denial of service conditions. An unauthenticated remote attacker can leverage this vulnerability to disrupt service availability without requiring user interaction. No patch is currently available for this high-severity vulnerability affecting enterprise CRM deployments.
A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.