CVE-2021-41595

MEDIUM

SuiteCRM < 7.10.33 and 7.11.22 - Directory Traversal via Import Step3 file_name Parameter

Title source: llm

Description

SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.

References (4)

Core 4

Core References

Product, Third Party Advisory x_refsource_misc

https://github.com/salesagility/SuiteCRM

Release Notes, Vendor Advisory x_refsource_confirm

https://docs.suitecrm.com/admin/releases/7.10.x/#_7_10_33

Release Notes, Vendor Advisory x_refsource_confirm

https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_22

Third Party Advisory x_refsource_misc

https://github.com/ach-ing/cves/blob/main/CVE-2021-41595.md

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0177

EPSS Percentile 75.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

salesagility/suitecrm < 7.10.33

Published Oct 04, 2021

Tracked Since Feb 18, 2026