U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:salesagility:suitecrm:7.9.12:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 48 matching records.
Displaying matches 41 through 48.
Vuln ID Summary CVSS Severity
CVE-2020-14208

SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.

Published: November 18, 2020; 5:15:11 PM -0500 		V4.0:(not available)
 V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-15301

SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.

Published: November 18, 2020; 4:15:11 PM -0500 		V4.0:(not available)
 V3.1: 7.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-28328

SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.

Published: November 06, 2020; 2:15:14 PM -0500 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2020-8804

SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.

Published: February 13, 2020; 11:15:14 AM -0500 		V4.0:(not available)
 V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2020-8803

SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.

Published: February 13, 2020; 11:15:14 AM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-8802

SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.

Published: February 13, 2020; 11:15:14 AM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-8801

SuiteCRM through 7.11.11 allows PHAR Deserialization.

Published: February 13, 2020; 11:15:14 AM -0500 		V4.0:(not available)
 V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-8800

SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.

Published: February 13, 2020; 11:15:13 AM -0500 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM