cbcvebase.

Salesagility Suitecrm vulnerabilities

105 known vulnerabilities affecting salesagility/suitecrm.

Total CVEs
105
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL21HIGH43MEDIUM40LOW1

Vulnerabilities

Page 5 of 6
CVE-2024-36419P4MEDIUMCVSS 6.1fixed in 8.6.12024-06-10
CVE-2024-36419 [MEDIUM] CWE-601 CVE-2024-36419: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerabil SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
nvd
CVE-2019-16922P4MEDIUMCVSS 5.3≥ 7.10.0, < 7.10.20≥ 7.11.0, < 7.11.82019-09-27
CVE-2019-16922 [MEDIUM] CVE-2019-16922: SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files. SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
nvd
CVE-2023-6127P4MEDIUMCVSS 5.4fixed in 7.12.14v7.14.0+3 more2023-11-14
CVE-2023-6127 [MEDIUM] CWE-434 CVE-2023-6127: Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
nvd
CVE-2021-39268P4MEDIUMCVSS 6.1fixed in 7.11.192021-08-18
CVE-2021-39268 [MEDIUM] CWE-79 CVE-2021-39268: Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remot Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.
nvd
CVE-2021-45903P4MEDIUMCVSS 6.1fixed in 7.10.35≥ 7.11.0, < 7.12.22021-12-28
CVE-2021-45903 [MEDIUM] CVE-2021-45903: A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7 A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows a remote attacker to introduce arbitrary JavaScript via attachments upload, a different vulnerability than CVE-2021-39267 and CVE-2021-39268.
nvd
CVE-2025-54783P4MEDIUMCVSS 6.1fixed in 7.14.72025-08-07
CVE-2025-54783 [MEDIUM] CWE-79 CVE-2025-54783: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include some arbitrary domain with malicious JavaScript
nvd
CVE-2025-41384P4MEDIUMCVSS 6.1v7.14.12025-10-27
CVE-2025-41384 [MEDIUM] CWE-79 CVE-2025-41384: Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but will allow the JavaScript code to execute.
nvd
CVE-2025-64491P4MEDIUMCVSS 6.1fixed in 7.14.82025-11-08
CVE-2025-64491 [MEDIUM] CWE-79 CVE-2025-64491: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering the login form to send credentials to an attacker-controlled server. As a r
nvd
CVE-2024-50335P4MEDIUMCVSS 5.4fixed in 7.14.6≥ 8.0.0, < 8.7.1+1 more2024-11-05
CVE-2024-50335 [MEDIUM] CWE-79 CVE-2024-50335: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions,
nvd
CVE-2018-20816P4MEDIUMCVSS 6.1≥ 7.0.0, < 7.8.24≥ 7.10.00, < 7.10.112019-04-05
CVE-2018-20816 [MEDIUM] CWE-79 CVE-2018-20816: An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7. An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie stealing, aka session hijacking. This issue affects the "add dashboard pages" feature where users can receive a malicious attack through a phished URL, with script executed.
nvd
CVE-2021-31792P4MEDIUMCVSS 5.4fixed in 7.11.192021-04-30
CVE-2021-31792 [MEDIUM] CWE-79 CVE-2021-31792: XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript vi XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
nvd
CVE-2019-18782P4MEDIUMCVSS 5.3≥ 7.10.0, < 7.10.21≥ 7.11.0, < 7.11.92020-03-20
CVE-2019-18782 [MEDIUM] CVE-2019-18782: SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htacce SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.
nvd
CVE-2019-14752P4MEDIUMCVSS 6.1≥ 7.10.0, < 7.10.20≥ 7.11.0, < 7.11.82019-09-30
CVE-2019-14752 [MEDIUM] CWE-79 CVE-2019-14752: SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS. SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS.
nvd
CVE-2020-14208P4MEDIUMCVSS 5.4≤ 7.11.132020-11-18
CVE-2020-14208 [MEDIUM] CWE-79 CVE-2020-14208: SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functiona SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
nvd
CVE-2023-6128P4MEDIUMCVSS 5.4fixed in 7.12.14v7.14.0+3 more2023-11-14
CVE-2023-6128 [MEDIUM] CWE-79 CVE-2023-6128: Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7 Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
nvd
CVE-2023-5351P4MEDIUMCVSS 5.4fixed in 7.14.12023-10-03
CVE-2023-5351 [MEDIUM] CWE-79 CVE-2023-5351: Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1. Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1.
nvd
CVE-2024-36413P4MEDIUMCVSS 5.4fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36413 [MEDIUM] CWE-79 CVE-2024-36413: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to ver SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2024-36406P4MEDIUMCVSS 5.4fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36406 [MEDIUM] CWE-601 CVE-2024-36406: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2020-15300P4MEDIUMCVSS 6.1≤ 7.11.132020-11-18
CVE-2020-15300 [MEDIUM] CWE-601 CVE-2020-15300: SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
nvd
CVE-2018-15606P4MEDIUMCVSS 6.1≥ 7.0.0, < 7.8.21≥ 7.10.0, < 7.10.82018-09-26
CVE-2018-15606 [MEDIUM] CWE-79 CVE-2018-15606: An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, rel An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
nvd