Salesagility Suitecrm vulnerabilities
105 known vulnerabilities affecting salesagility/suitecrm.
Total CVEs
105
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL21HIGH43MEDIUM40LOW1
Vulnerabilities
Page 1 of 6
CVE-2023-47643P1MEDIUMCVSS 5.3ExploitedPoCv8.4.12023-11-21
CVE-2023-47643 [MEDIUM] CWE-200 CVE-2023-47643: SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, G
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields
nvd
CVE-2020-28328P2HIGHCVSS 8.8PoCfixed in 7.11.172020-11-06
CVE-2020-28328 [HIGH] CWE-434 CVE-2020-28328: SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
nvd
CVE-2021-42840P2HIGHCVSS 8.8PoCfixed in 7.11.192021-10-22
CVE-2021-42840 [HIGH] CVE-2021-42840: SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting.
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for
nvd
CVE-2024-36412P2CRITICALCVSS 9.8PoCfixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36412 [CRITICAL] CWE-89 CVE-2024-36412: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2023-5350P2CRITICALCVSS 9.1PoCfixed in 7.14.12023-10-03
CVE-2023-5350 [CRITICAL] CWE-89 CVE-2023-5350: SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
nvd
CVE-2022-23940P2HIGHCVSS 8.8fixed in 7.12.5≥ 8.0, < 8.0.42022-03-10
CVE-2022-23940 [HIGH] CWE-502 CVE-2022-23940: SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients
nvd
CVE-2023-1034P2HIGHCVSS 8.8fixed in 7.12.92023-02-25
CVE-2023-1034 [HIGH] CWE-29 CVE-2023-1034: Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9.
nvd
CVE-2022-50589P2CRITICALCVSS 9.8fixed in 7.12.62025-11-06
CVE-2022-50589 [CRITICAL] CWE-89 CVE-2022-50589: SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the
SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code.
nvd
CVE-2021-45899P2CRITICALCVSS 9.8fixed in 7.12.3≥ 8.0.0, < 8.0.2+1 more2022-01-28
CVE-2021-45899 [CRITICAL] CWE-502 CVE-2021-45899: SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
nvd
CVE-2021-45897P2HIGHCVSS 8.8fixed in 7.12.3≥ 8.0.0, < 8.0.2+1 more2022-01-28
CVE-2021-45897 [HIGH] CVE-2021-45897: SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
nvd
CVE-2022-27474P3HIGHCVSS 7.2v7.11.232022-04-15
CVE-2022-27474 [HIGH] CVE-2022-27474: SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
nvd
CVE-2024-36415P3HIGHCVSS 8.8fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36415 [HIGH] CWE-98 CVE-2024-36415: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2024-36418P3HIGHCVSS 8.8fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36418 [HIGH] CWE-22 CVE-2024-36418: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2025-54788P3HIGHCVSS 8.8fixed in 7.14.72025-08-07
CVE-2025-54788 [HIGH] CWE-89 CVE-2025-54788: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching implications on confidentiality, integrity, and availability, as database data c
nvd
CVE-2025-64489P3HIGHCVSS 8.8fixed in 7.14.8≥ 8.0.0, < 8.9.12025-11-08
CVE-2025-64489 [HIGH] CWE-269 CVE-2025-64489: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application an
nvd
CVE-2019-6506P3CRITICALCVSS 9.8v7.11.02019-04-02
CVE-2019-6506 [CRITICAL] CWE-89 CVE-2019-6506: SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injecti
SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection.
nvd
CVE-2025-64488P3HIGHCVSS 8.8fixed in 7.14.8≥ 8.0.0, ≤ 8.9.02025-11-08
CVE-2025-64488 [HIGH] CWE-89 CVE-2025-64488: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtrati
nvd
CVE-2025-64492P3HIGHCVSS 8.8≥ 8.0.0, < 8.9.12025-11-08
CVE-2025-64492 [HIGH] CWE-89 CVE-2025-64492: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive inf
nvd
CVE-2019-18784P3CRITICALCVSS 9.8≥ 7.10.0, < 7.10.21≥ 7.11.0, < 7.11.92019-11-06
CVE-2019-18784 [CRITICAL] CWE-89 CVE-2019-18784: SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
nvd
CVE-2020-8803P3CRITICALCVSS 9.8≤ 7.11.112020-02-13
CVE-2020-8803 [CRITICAL] CWE-22 CVE-2020-8803: SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webro
SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
nvd
1 / 6Next →