cbcvebase.

Salesagility Suitecrm vulnerabilities

105 known vulnerabilities affecting salesagility/suitecrm.

Total CVEs
105
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL21HIGH43MEDIUM40LOW1

Vulnerabilities

Page 4 of 6
CVE-2020-8804P3MEDIUMCVSS 6.5≤ 7.11.102020-02-13
CVE-2020-8804 [MEDIUM] CWE-89 CVE-2020-8804: SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the Ma SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
nvd
CVE-2024-36417P3CRITICALCVSS 9.0fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36417 [CRITICAL] CWE-79 CVE-2024-36417: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2024-36416P3HIGHCVSS 7.5fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36416 [HIGH] CWE-779 CVE-2024-36416: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2021-25961P3HIGHCVSS 8.0≥ 7.1.7, < 7.10.32≥ 7.11.0, < 7.11.21+2 more2021-09-29
CVE-2021-25961 [HIGH] CWE-640 CVE-2021-25961: In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
nvd
CVE-2020-8787P3HIGHCVSS 7.5≥ 7.10.0, < 7.10.23≥ 7.11.0, < 7.11.112020-03-16
CVE-2020-8787 [HIGH] CWE-20 CVE-2020-8787: SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
nvd
CVE-2022-0754P3MEDIUMCVSS 6.5fixed in 7.12.52022-03-07
CVE-2022-0754 [MEDIUM] CWE-89 CVE-2022-0754: SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5. SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
nvd
CVE-2024-36407P3MEDIUMCVSS 6.5fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36407 [MEDIUM] CWE-640 CVE-2024-36407: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities
nvd
CVE-2024-49773P3MEDIUMCVSS 6.5fixed in 7.14.6≥ 8.0.0, < 8.7.1+1 more2024-11-05
CVE-2024-49773 [MEDIUM] CWE-89 CVE-2024-49773: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearc
nvd
CVE-2024-36414P3MEDIUMCVSS 6.5fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36414 [MEDIUM] CWE-918 CVE-2024-36414: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2023-3627P3HIGHCVSS 8.8fixed in 8.3.12023-07-11
CVE-2023-3627 [HIGH] CWE-352 CVE-2023-3627: Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1. Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.
nvd
CVE-2020-15301P3HIGHCVSS 7.8≤ 7.11.13≥ v7.10.29, < v7.10*+1 more2020-11-18
CVE-2020-15301 [HIGH] CWE-1236 CVE-2020-15301: SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opp SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
nvd
CVE-2022-0756P3MEDIUMCVSS 6.5fixed in 7.12.52022-03-07
CVE-2022-0756 [MEDIUM] CWE-862 CVE-2022-0756: Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
nvd
CVE-2023-5353P3MEDIUMCVSS 6.5fixed in 7.14.12023-10-03
CVE-2023-5353 [MEDIUM] CWE-284 CVE-2023-5353: Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1. Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
nvd
CVE-2025-54786P4MEDIUMCVSS 5.3v7.14.6v8.8.02025-08-07
CVE-2025-54786 [MEDIUM] CWE-200 CVE-2025-54786: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functional
nvd
CVE-2022-50590P4MEDIUMCVSS 5.3fixed in 7.12.62025-11-06
CVE-2022-50590 [MEDIUM] CWE-843 CVE-2022-50590: SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of th SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.
nvd
CVE-2021-41596P4MEDIUMCVSS 5.3fixed in 7.10.33≥ 7.11.0, < 7.11.222021-10-04
CVE-2021-41596 [MEDIUM] CWE-22 CVE-2021-41596: SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attack SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
nvd
CVE-2021-41595P4MEDIUMCVSS 5.3fixed in 7.10.33≥ 7.11.0, < 7.11.222021-10-04
CVE-2021-41595 [MEDIUM] CWE-22 CVE-2021-41595: SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attack SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
nvd
CVE-2021-39267P4MEDIUMCVSS 6.1fixed in 7.11.192021-08-18
CVE-2021-39267 [MEDIUM] CWE-79 CVE-2021-39267: Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remot Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
nvd
CVE-2025-54784P4MEDIUMCVSS 6.1≥ 7.14.0, < 7.14.7≥ 8.6.0, < 8.8.12025-08-07
CVE-2025-54784 [MEDIUM] CWE-79 CVE-2025-54784: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of the SuiteCRM-instance. By simply viewing emails as the logged-in user, t
nvd
CVE-2023-6388P4MEDIUMCVSS 5.0v7.14.22024-02-07
CVE-2023-6388 [MEDIUM] CWE-918 CVE-2023-6388: Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is vulnerable to SSRF.
nvd
Salesagility Suitecrm vulnerabilities | cvebase