Dillon-Brown

2 exploits Active since Sep 2021
CVE-2021-25960 WRITEUP HIGH WRITEUP
SuiteCRM <7.11.19 & 7.10.31 - Code Injection
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
CVSS 8.0
CVE-2021-25961 WRITEUP HIGH WRITEUP
Salesagility Suitecrm < 7.10.32 - Password Reset Weakness
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
CVSS 8.0