Writeup Exploits

63,652 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-45392 WRITEUP HIGH
SuiteCRM <7.14.5-8.6.2 - Info Disclosure
SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue.
CVSS 7.7
CVE-2024-36419 WRITEUP MEDIUM
SuiteCRM <8.6.1 - Host Header Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
CVSS 4.3
CVE-2024-36418 WRITEUP HIGH
SuiteCRM <7.14.4-8.6.1 - Authenticated RCE
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 8.5
CVE-2024-36417 WRITEUP MEDIUM
SuiteCRM < 7.14.4 - Cross-Site Scripting via Unverified IFrame Input
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 5.7
CVE-2024-36416 WRITEUP HIGH
SuiteCRM < 7.14.4 - Denial of Service via Excessive Logging in v4 API
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 8.6
CVE-2024-36415 WRITEUP CRITICAL
SuiteCRM < 7.14.4 - Remote Code Execution via Unrestricted File Upload
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.1
CVE-2024-36414 WRITEUP HIGH
SuiteCRM < 7.14.4 - Server-Side Request Forgery via Connectors File Verification
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 7.7
CVE-2024-36413 WRITEUP HIGH
SuiteCRM < 7.14.4 - Cross-Site Scripting in Import Module Error View
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 8.9
CVE-2024-36412 WRITEUP CRITICAL
SuiteCRM <7.14.4-8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 10.0
CVE-2024-36411 WRITEUP CRITICAL
SuiteCRM <7.14.4,8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
CVE-2024-36410 WRITEUP CRITICAL
SuiteCRM <7.14.4-8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
CVE-2024-36409 WRITEUP CRITICAL
SuiteCRM <7.14.4, <8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
CVE-2024-36408 WRITEUP CRITICAL
SuiteCRM <7.14.4-8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
CVE-2024-36407 WRITEUP LOW
SuiteCRM <7.14.4-8.6.1 - Info Disclosure
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 3.7
CVE-2024-36406 WRITEUP MEDIUM
SuiteCRM <7.14.4-8.6.1 - Open Redirect
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 5.4
CVE-2023-47643 WRITEUP LOW
SuiteCRM < 8.4.2 - Unauthenticated Exposure of Sensitive Information via GraphQL Introspection
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
CVSS 3.1
CVE-2021-41869 WRITEUP HIGH
SuiteCRM 7.10.0-7.10.32 and 7.11.0-7.11.21 - Privilege Escalation
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
CVSS 8.8
CVE-2021-41597 WRITEUP HIGH
SuiteCRM 7.10.0-7.10.35 - Cross-Site Request Forgery via UpgradeWizard
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVSS 8.8
CVE-2021-41596 WRITEUP MEDIUM
SuiteCRM < 7.10.33 and 7.11.22 - Path Traversal and Information Disclosure via RefreshMapping Import
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
CVSS 5.3
CVE-2021-41595 WRITEUP MEDIUM
SuiteCRM < 7.10.33 and 7.11.22 - Directory Traversal via Import Step3 file_name Parameter
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
CVSS 5.3
CVE-2021-25961 WRITEUP HIGH
SuiteCRM 7.1.7-7.10.31 and 7.11-beta-7.11.20 - Account Takeover via Uninvalidated Password Reset Links
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
CVSS 8.0
CVE-2021-25960 WRITEUP HIGH
SuiteCRM <7.11.19 & 7.10.31 - Code Injection
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
CVSS 8.0
CVE-2015-5948 WRITEUP HIGH
SuiteCRM < 7.2.2 - Remote Code Execution via Race Condition
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
CVSS 8.1
CVE-2015-5947 WRITEUP HIGH
SuiteCRM < 7.2.2 - Remote Code Execution via Race Condition
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
CVSS 8.1
CVE-2021-41945 WRITEUP CRITICAL
httpx < 0.23.0 - Improper Input Validation in URL.copy_with
Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
CVSS 9.1