Writeup Exploits
63,652 exploits tracked across all sources.
SuiteCRM <7.14.5-8.6.2 - Info Disclosure
SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue.
CVSS 7.7
SuiteCRM <8.6.1 - Host Header Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
CVSS 4.3
SuiteCRM <7.14.4-8.6.1 - Authenticated RCE
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 8.5
SuiteCRM < 7.14.4 - Cross-Site Scripting via Unverified IFrame Input
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 5.7
SuiteCRM < 7.14.4 - Denial of Service via Excessive Logging in v4 API
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 8.6
SuiteCRM < 7.14.4 - Remote Code Execution via Unrestricted File Upload
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.1
SuiteCRM < 7.14.4 - Server-Side Request Forgery via Connectors File Verification
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 7.7
SuiteCRM < 7.14.4 - Cross-Site Scripting in Import Module Error View
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 8.9
SuiteCRM <7.14.4-8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 10.0
SuiteCRM <7.14.4,8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
SuiteCRM <7.14.4-8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
SuiteCRM <7.14.4, <8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
SuiteCRM <7.14.4-8.6.1 - SQL Injection
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 9.6
SuiteCRM <7.14.4-8.6.1 - Info Disclosure
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 3.7
SuiteCRM <7.14.4-8.6.1 - Open Redirect
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVSS 5.4
SuiteCRM < 8.4.2 - Unauthenticated Exposure of Sensitive Information via GraphQL Introspection
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
CVSS 3.1
SuiteCRM 7.10.0-7.10.32 and 7.11.0-7.11.21 - Privilege Escalation
SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
CVSS 8.8
SuiteCRM 7.10.0-7.10.35 - Cross-Site Request Forgery via UpgradeWizard
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
CVSS 8.8
SuiteCRM < 7.10.33 and 7.11.22 - Path Traversal and Information Disclosure via RefreshMapping Import
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
CVSS 5.3
SuiteCRM < 7.10.33 and 7.11.22 - Directory Traversal via Import Step3 file_name Parameter
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
CVSS 5.3
SuiteCRM 7.1.7-7.10.31 and 7.11-beta-7.11.20 - Account Takeover via Uninvalidated Password Reset Links
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
CVSS 8.0
SuiteCRM <7.11.19 & 7.10.31 - Code Injection
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
CVSS 8.0
SuiteCRM < 7.2.2 - Remote Code Execution via Race Condition
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
CVSS 8.1
SuiteCRM < 7.2.2 - Remote Code Execution via Race Condition
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
CVSS 8.1
httpx < 0.23.0 - Improper Input Validation in URL.copy_with
Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
CVSS 9.1
By Source