Jack Anderson

19 exploits Active since Feb 2023
CVE-2023-5350 WRITEUP CRITICAL WRITEUP
SuiteCRM < 7.14.1 - SQL Injection
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
CVSS 9.1
CVE-2023-1034 WRITEUP HIGH WRITEUP
SuiteCRM < 7.12.9 - Path Traversal via Backslash Sequence
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
CVSS 8.8
CVE-2023-3293 WRITEUP MEDIUM WRITEUP
SuiteCRM 8.0.0-8.0.3 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to 8.3.0.
CVSS 4.8
CVE-2023-3627 WRITEUP HIGH WRITEUP
GitHub salesagility/suitecrm-core <8.3.1 - CSRF
Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.
CVSS 8.8
CVE-2023-47643 WRITEUP LOW WRITEUP
SuiteCRM < 8.4.2 - Unauthenticated Exposure of Sensitive Information via GraphQL Introspection
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
CVSS 3.1
CVE-2023-5351 WRITEUP MEDIUM WRITEUP
SuiteCRM < 7.14.1 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1.
CVSS 5.4
CVE-2023-5353 WRITEUP MEDIUM WRITEUP
SuiteCRM < 7.14.1 - Improper Access Control
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
CVSS 6.5
CVE-2023-6124 WRITEUP MEDIUM WRITEUP
salesagility/suitecrm <7.14.2-8.4.2-7.12.14 - SSRF
Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.
CVSS 4.3
CVE-2023-6125 WRITEUP HIGH WRITEUP
GitHub salesagility/suitecrm <7.14.2-8.4.2 - Code Injection
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVSS 8.8
CVE-2023-6126 WRITEUP CRITICAL WRITEUP
salesagility/suitecrm <7.14.2-8.4.2 - Code Injection
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVSS 9.8
CVE-2023-6127 WRITEUP MEDIUM WRITEUP
SuiteCRM < 7.12.14 - Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVSS 5.4
CVE-2023-6128 WRITEUP MEDIUM WRITEUP
GitHub salesagility/suitecrm <7.14.2-8.4.2 - XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVSS 5.4
CVE-2023-6130 WRITEUP HIGH WRITEUP
salesagility/suitecrm <7.14.2-8.4.2 - Path Traversal
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVSS 8.8
CVE-2023-6131 WRITEUP HIGH WRITEUP
salesagility/suitecrm <7.14.2-8.4.2 - Code Injection
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVSS 8.8
CVE-2025-64488 WRITEUP HIGH WRITEUP
SuiteCRM < 7.14.8 and 8.0.0-beta.1-8.9.0 - SQL Injection via Crafted call_id
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtration, complete database compromise, and other various issues. This issue is fixed in versions 7.14.8 and 8.9.1.
CVSS 8.8
CVE-2025-64488 WRITEUP HIGH WRITEUP
SuiteCRM < 7.14.8 and 8.0.0-beta.1-8.9.0 - SQL Injection via Crafted call_id
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtration, complete database compromise, and other various issues. This issue is fixed in versions 7.14.8 and 8.9.1.
CVSS 8.8
CVE-2025-64489 WRITEUP HIGH WRITEUP
SuiteCRM < 7.14.8 - Privilege Escalation via Inactive User Session Persistence
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1.
CVSS 8.3
CVE-2025-64489 WRITEUP HIGH WRITEUP
SuiteCRM < 7.14.8 - Privilege Escalation via Inactive User Session Persistence
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1.
CVSS 8.3
CVE-2025-64491 WRITEUP MEDIUM WRITEUP
SuiteCRM < 7.14.8 - Unauthenticated Reflected Cross-Site Scripting
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering the login form to send credentials to an attacker-controlled server. As a reflected XSS issue, exploitation requires the victim to open a crafted malicious link, which can be delivered via phishing, social media, or other communication channels. This issue is fixed in version 7.14.8.
CVSS 6.1