pkg:Bitnami/suitecrm

All known vulnerabilities

• CRITICAL9.8CVE-2024-36412SuiteCRM unauthenticated SQL Injection
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• CRITICAL9.8CVE-2020-8783SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8CVE-2020-8784SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8CVE-2020-8785SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8CVE-2020-8786SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• CRITICAL9.8CVE-2020-8802SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
  from 0, < 7.11.12
• CRITICAL9.8CVE-2020-8803SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
  from 0, < 7.11.12
• CRITICAL9.8CVE-2021-45898SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
  from 0, < 7.12.3, >= 8.0.0, < 8.0.2
• CRITICAL9.8CVE-2021-45899SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
  from 0, < 7.12.3, >= 8.0.0, < 8.0.2
• CRITICAL9.8CVE-2023-6126Code Injection in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• CRITICAL9.1CVE-2023-5350SQL Injection in salesagility/suitecrm
  from 0, < 7.14.1
• CRITICAL9.0CVE-2024-36417SuiteCRM Stored XSS Vulnerability Allows Code Execution via Malicious iFrame
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2022-45185An issue was discovered in SuiteCRM 7.12.7.
  >= 7.12.7, <= 7.12.7
• HIGH8.8CVE-2024-1644Suite CRM v7.14.2 - RCE via Local File Inclusion
  >= 7.14.2, < 7.14.3
• HIGH8.8CVE-2024-49772Authenticated SQL injection in AM_ProjectTemplates controller in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH8.8CVE-2024-50332Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH8.8CVE-2024-50333RCE in ModuleBuilder in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH8.8CVE-2024-36408SuiteCRM authenticated SQL Injection in Alerts
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2024-36409SuiteCRM authenticated SQL Injection in TreeData entrypoint
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2024-36410SuiteCRM authenticated SQL Injection in EmailUIAjax messages count controller
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2024-36411SuiteCRM authenticated SQL Injection in EmailUIAjax displayView controller
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2024-36415SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2024-36418SuiteCRM authenticated RCE using connectors
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH8.8CVE-2020-28328SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting.
  from 0, < 7.11.17
• HIGH8.8CVE-2020-8800SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.
  from 0, < 7.11.12
• HIGH8.8CVE-2021-41597SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is…
  >= 7.10.0, < 7.10.35, >= 7.12.0, < 7.12.2
• HIGH8.8CVE-2021-41869SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
  >= 7.10.0, < 7.10.33, >= 7.11.0, < 7.11.22
• HIGH8.8CVE-2021-42840SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting.
  from 0, < 7.11.19
• HIGH8.8CVE-2021-45041SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving res…
  from 0, < 7.12.2 | >= 8.0.0, <= 8.0.0
• HIGH8.8CVE-2021-45897SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
  from 0, < 7.12.3, >= 8.0.0, < 8.0.2
• HIGH8.8CVE-2022-23940SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution.
  from 0, < 7.12.5, >= 8.0.0, < 8.0.4
• HIGH8.8CVE-2023-1034Path Traversal: '\..\filename' in salesagility/suitecrm
  from 0, < 7.12.9
• HIGH8.8CVE-2023-3627Cross-Site Request Forgery (CSRF) in salesagility/suitecrm-core
  from 0, < 8.3.1
• HIGH8.8CVE-2023-6125Code Injection in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• HIGH8.8CVE-2023-6130Path Traversal: '\..\filename' in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• HIGH8.8CVE-2023-6131Code Injection in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• HIGH8.1CVE-2022-45186An issue was discovered in SuiteCRM 7.12.7.
  >= 7.12.7, <= 7.12.7
• HIGH8.0CVE-2021-25960SuiteCRM - CSV Injection in Accounts Module
  >= 7.10.29, < 7.10.32, >= 7.11.18, < 7.11.21
• HIGH8.0CVE-2021-25961SuiteCRM - Account Takeover in Password Reset Functionality
  >= 7.1.7, < 7.10.32, >= 7.11.0, < 7.11.21
• HIGH7.8CVE-2020-15301SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules.
  from 0, < 7.11.14
• HIGH7.5CVE-2024-36416SuiteCRM v4 API Excessive log data DOS
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• HIGH7.5CVE-2020-8787SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
  >= 7.10.0, < 7.10.23, >= 7.11.0, < 7.11.11
• HIGH7.2CVE-2024-49774ModuleScanner flaws in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• HIGH7.2CVE-2020-8801SuiteCRM through 7.11.11 allows PHAR Deserialization.
  from 0, < 7.11.12
• HIGH7.2CVE-2022-27474SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
  >= 7.11.23, < 7.11.24
• MEDIUM6.5CVE-2024-49773Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• MEDIUM6.5CVE-2024-36407SuiteCRM unauthenticated user password reset on php7
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM6.5CVE-2024-36414SuiteCRM authenticated Server-Side Request Forgery
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM6.5CVE-2020-8804SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
  from 0, < 7.11.11
• MEDIUM6.5CVE-2022-0754SQL Injection in salesagility/suitecrm
  from 0, < 7.12.5
• MEDIUM6.5CVE-2022-0756Missing Authorization in salesagility/suitecrm
  from 0, < 7.12.5
• MEDIUM6.5CVE-2023-5353Improper Access Control in salesagility/suitecrm
  from 0, < 7.14.1
• MEDIUM6.1CVE-2024-36419SuiteCRM-Core Host Header Injection in /legacy
  from 0, < 8.6.1
• MEDIUM6.1CVE-2020-15300SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
  from 0, < 7.11.14
• MEDIUM6.1CVE-2021-39267Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaS…
  from 0, < 7.11.19
• MEDIUM6.1CVE-2021-39268Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaS…
  from 0, < 7.11.19
• MEDIUM6.1CVE-2021-45903A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows…
  from 0, < 7.10.35, >= 7.11.0, < 7.12.2
• MEDIUM5.4CVE-2024-50335Authenticated XSS in "Publish Key" Field Allowing Unauthorized Administrator User Creation in SuiteCRM
  from 0, < 7.14.6, >= 8.0.0, < 8.7.1
• MEDIUM5.4CVE-2024-36406SuiteCRM vulnerable to open redirects
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM5.4CVE-2024-36413SuiteCRM authenticated Reflected Cross-Site Scripting
  from 0, < 7.14.4, >= 8.0.0, < 8.6.1
• MEDIUM5.4CVE-2020-14208SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality.
  from 0, < 7.11.14
• MEDIUM5.4CVE-2021-31792XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
  from 0, < 7.11.19
• MEDIUM5.4CVE-2023-5351Cross-site Scripting (XSS) - Stored in salesagility/suitecrm
  from 0, < 7.14.1
• MEDIUM5.4CVE-2023-6127Unrestricted Upload of File with Dangerous Type in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• MEDIUM5.4CVE-2023-6128Cross-site Scripting (XSS) - Reflected in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2
• MEDIUM5.3CVE-2025-54786SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data
  >= 7.14.6, < 7.14.7, >= 8.8.0, < 8.8.1
• MEDIUM5.3CVE-2021-41595SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal.
  from 0, < 7.10.33, >= 7.11.0, < 7.11.22
• MEDIUM5.3CVE-2021-41596SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal.
  from 0, < 7.10.33, >= 7.11.0, < 7.11.22
• MEDIUM5.3CVE-2023-47643SuiteCRM has Unauthenticated Graphql Introspection Enabled
  >= 8.4.1, < 8.4.2
• MEDIUM5.0CVE-2023-6388Suite CRM v7.14.2 - SSRF
  >= 7.14.2, < 7.14.3
• MEDIUM4.8CVE-2023-3293Cross-site Scripting (XSS) - Stored in salesagility/suitecrm-core
  >= 8.0.0, < 8.0.3
• MEDIUM4.3CVE-2024-45392SuiteCRM has wrong deletion permission checks on API delete call
  from 0, < 7.14.5, >= 8.0.0, < 8.6.2
• MEDIUM4.3CVE-2022-0755Missing Authorization in salesagility/suitecrm
  from 0, < 7.12.5
• MEDIUM4.3CVE-2023-6124Server-Side Request Forgery (SSRF) in salesagility/suitecrm
  from 0, < 7.12.14, >= 7.14.0, < 7.14.2, >= 8.4.0, < 8.4.2